Responsibility
Controller
The responsible party (referred to as "controller" in the General Data Protection Regulation (GDPR) of the European Union (EU)) for this website is:
Institut für Klinische Molekularbiologie
Christian-Albrechts-Unversität zu Kiel
Rosalind-Franklin-Straße 12
24105 Kiel, Germany
Tel.: +49 431 500 151 01
sekretariat@mucosa.de
Please refer to our regulations on the
processing of your genetic data and your role as a data controller in this case, see section
Processing of Genetic Data below.
Data processor
The data processor is the Institute of Clinical Molecular Biology:
Institut für Klinische Molekularbiologie
Christian-Albrechts-Unversität zu Kiel
Rosalind-Franklin-Straße 12
24105 Kiel, Germany
Tel.: +49 431 500 151 01
hpcwebservice@ikmb.uni-kiel.de
Data Protection Officer
Stella Thoben
Christian-Albrechts-Universität zu Kiel
Datenschutzbeauftragte
Informationssicherheit/Forschungsdatenmanagement
Leibnizstraße 9
24118 Kiel, Germany
Tel.: +49 431 880 3581
sthoben@uv.uni-kiel.de
General information
Definitions according to Art. 4 of the GDPR
We use the following terms, among others, in this privacy policy:
Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject
Data subject means any identified or identifiable natural person whose personal data are processed by the data processor.
Genetic data
Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Legal basis for processing
Art. 6 (1) (a) GDPR serves as the legal basis for us for processing operations in which we obtain consent for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 (1) (b) GDPR.
The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example in the case of enquiries about our products or services.
If we are subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 (1) (c) GDPR.
In rare cases, the processing of personal data might become necessary in order to protect the vital interests of the data subject or another natural person.
This would be the case, for example, if a visitor were to be injured on our premises and as a result his or her name, age, health insurance details or other vital information had to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 (1) (d) GDPR.
Ultimately, processing operations are based on Art. 6 (1) (f) GDPR.
Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden.
Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, sentence 2 of the GDPR).
Data collection and processing
Collection of personal data on the website
In principle, we do not collect or use any personal data when you visit our website.
This only happens insofar as it is necessary for the provision of a functional website as well as our contents and services.
The collection and use of our users' personal data regularly only takes place with their consent.
This does not apply in cases where it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by legal regulations.
In the following, we would like to inform you about the type, scope and purpose of our data handling within the framework of this website:
Each time our website is accessed, the user's access data that your browser automatically transmits to us is stored on our server in a log file.
These are:
- browser type / browser version
- Operating system used
- Date and time of the server request
- IP address of the computer requesting the website
- website from which the access was made (referrer URL)
- Resource accessed
- amount of data transferred
- HTTP status code of the server request
The storage of the log file serves the following purposes:
- System security and stability of the website
- Checking for use in breach of contract or other illegal use, if there are actual indications of such use
The legal basis for this data processing is Art. 6 (1) (f) s.1 GDPR. Our legitimate interest follows from the above-mentioned purposes for data collection. In no case do we use the collected data for the purpose of drawing conclusions about your person. We do not combine this data with other data sources.
The data in the server log file is stored for not longer than 30 days and will be automatically deleted afterwards.
In the case you create a user account, we store the following data provided by you:
- Your email address
- A hash value from your access password (not the clear text password!)
- The key ID and the corresponding public-key for any optional 2-factor authentication device
We store this information to authorise access to your account. The storage of the email address serves the following extra purposes:
- Account verification: You receive an email from us to verify the creation of an account.
- Notification of results: You receive an email from us to notify you that one of your submitted jobs has terminated (either finished or cancelled).
- Notification of automatic data deletion: You receive an email from us to notify you about a upcoming automatic deletion of result and/or job data. This email is sent to you one day before automatic deletion.
- Password reset: We contact you via your provided email address to send you a link to reset your access password, if you requested this.
- Notification about problems regarding a job submitted by you for processing on our server: In the case our service is not able to process your job as intended, or if our service fails or encounters failures and/or restrictions while processing your job, we might contact you to inform you about the encountered problems.
The legal basis for this data processing is Art. 6 (1) (a) GDPR. With the creation of an account, you explicitly give us consent to process your data in the described way. In no case do we use your data to contact you by other than the described purposes, and in no case do we connect your data to other data sources or provide it to third parties, explicitly we do not connect this user account data to the access logfile from our website mentioned above.
Contact
When contacting us (e.g. by contact form, e-mail, telephone or via social media), the user's details are processed for the purpose of handling the contact request and its processing pursuant to Art. 6 (1) (b) GDPR. We delete the enquiries if they are no longer necessary. We review the necessity every two years; furthermore, the statutory archiving obligations apply.
Duration of storage
The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data is routinely deleted if it is no longer required for the fulfilment or initiation of the contract.
The user account data is stored in our database until the user requests the deletion of his account. The request can be made directly via the account management functions on the website or by an informal request directly to us, either written or per email.
The data stored in the access logfile of our website (which is also used to log and detect server attacks) is automatically deleted after 30 days.
Processing of genetic data
The processing of the genetic data of individuals that you provide to us may fall under the GDPR.
If so, we are the data processor of that genetic data and you agree that you are the data controller (as defined in the GDPR).
That genetic data you provide to us may require consent of the data subject.
Insofar as you provide us with this type of data for processing, you assure us that you have obtained such consent or that, pursuant to Art.
9 (2) (i) GDPR, "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious
cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,
on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data
subject, in particular professional secrecy."
Also, you assure us, that the data files contain only pseudonymous genetic data.
In particular, the sample identifiers must not contain the real names of any individual or any other elements that would allow us the identification of the individuals associated with the genetic data.
We will only process the genetic data you provide to us as directed.
Genetic data will be processed by us on your behalf for the purpose of data processing in support of your genetic research, but only for as long as is necessary to carry out the data processing.
After completion of the work, the result data will be made available to you for download and deleted from our servers after 7 days at the latest if not explicitly deleted by you.
Disclosure of personal and genetic data to third parties
Your personal and provided genetic data is stored exclusively on our university servers located in Kiel, Germany. Access to this data and the use of the data is only possible for an authorised group of employees and we will only process the genetic data you provide to us as directed.
Your data will not be transferred to third parties without your consent and is also not intended in the future.
Data security
To protect your personal and genetic data, we have taken technical and organisational measures to ensure that your data is protected against accidental or intentional loss, destruction or manipulation and access by unauthorised persons. Our protective measures are reviewed at regular intervals and, if necessary, adapted to technical progress.
We will inform you without undue delay if we become aware of any unauthorised access or breach of personal or genetic data that is processed on your behalf.
SSL or TLS encryption
For security reasons and to protect the transmission of confidential content that you send to us as the site operator, our website uses SSL or TLS encryption. This means that data you transmit via this website cannot be read by third parties. You can recognise an encrypted connection by the "https://" address line of your browser and the lock symbol in the browser line.
Cookies
Like many other websites, we also use so-called "cookies". Cookies are small text files that are transferred from a website server to your hard drive.
Cookies cannot be used to run programs or deliver viruses to a computer. The information contained in cookies allows us to facilitate your navigation and enable the correct display of our web pages.
Session cookie
When you log in, you receive a so-called token (session cookie) from the backend of the website (protected area).
This token is unique and is sent to the backend with every further request.
In this way, the requests can be assigned to you and it can be checked whether you have the required legitimation for your request (identification / authentication & authorisation).
Personal data (for us currently only the token) is only stored in the cookie when you log in.
The token is deleted again when you log out or close the browser window.
Under no circumstances will the data we collect be passed on to third parties or linked to personal data without your consent.
The processing of data by cookies is necessary for the aforementioned purposes to protect our legitimate interests and, if applicable, those of third parties in accordance with Art. 6 (1) (f) s.1 GDPR.
In particular, no personal data is stored in the cookie.
Of course, you can also view our website without cookies. Internet browsers are regularly set to accept cookies. You can deactivate the use of cookies at any time via your browser settings. Please use the help functions of your internet browser to find out how to change these settings. Please note that individual functions of our website may not work if you have deactivated the use of cookies and you will then not be able to log in to our website.
Data subject rights
Withdrawal of your consent to data processing
Some data processing operations are only possible with your express consent. You can revoke your consent at any time. For the revocation, an informal communication by e-mail to
hpcwebservice@ikmb.uni-kiel.de is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right to complain to the competent supervisory authority
Without prejudice to any other rights of appeal, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.
The following link provides a list of data protection officers and their contact details:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Right to data portability
You have the right to receive your personal data that you may have provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another person responsible without hindrance from us, provided that
- the processing is based on consent pursuant to Art. 6 (1) (a) s.1 GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) s.1 GDPR and
- the processing is carried out with the help of automated procedures.
Furthermore, you have the right in this respect to obtain the transfer of your personal data directly from us to another controller, insofar as this is technically feasible. The rights and freedoms of other persons must not be affected by this.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
In the context of offering our website, we currently do not assume that data subject to the right to data portability are processed.
Right of access
You can ask us to confirm whether we are processing personal data about you. If there is such processing, you can ask us for information about the following:
- The purposes for which the personal data are processed;
- the categories of personal data which are processed;
- the recipients or categories of recipients to whom your personal data have been or will be disclosed;
- the planned duration of the storage of your personal data or, if concrete information on this is not possible, criteria for determining the storage duration;
- the existence of a right of appeal to a supervisory authority;
- any available information about the origin of the data if the personal data is not collected from you;
- the existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) of the GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for you.
Furthermore, you have the right to request information on whether your personal data is transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 of the GDPR in connection with the transfer.
Right to rectification
You have a right against us to have your personal data corrected and/or completed if your processed data is inaccurate or incomplete. Should this be the case, we will make the correction without delay.
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data under the following conditions if:
- you dispute the accuracy of your personal data for a period of time that allows us to verify the accuracy of the data;
- the processing is unlawful and you object to the erasure of your personal data and request the restriction of its use instead;
- we no longer need your personal data for the purposes of processing, but you need them for the assertion, exercise or defence of legal claims, or
- you have objected to the processing in accordance with Art. 21 (1) GDPR and it is not yet clear whether our legitimate reasons outweigh your reasons.
If you have requested the restriction of the processing of your personal data, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State. You will be informed by us before the restriction is lifted.
Right to deletion
You may request us to delete your personal data without delay. We are obliged to delete this data immediately if one of the following reasons applies:
- Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- You revoke any existing consent on which the processing was based pursuant to Art. 6 (1) (a) s.1 or Art. 9 (2) (a) GDPR and there is no other legal basis for further processing.
- You object to the processing pursuant to Art. 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing.
- You object to processing for the purposes of direct marketing pursuant to Art. 21 (2) of the GDPR.
- Your personal data have been processed unlawfully.
- The erasure of your personal data is necessary for compliance with a legal obligation under Union or Member State law to which we are subject.
- Your personal data has been collected in relation to information society services offered in accordance with Art. 8 (1) of the GDPR.
If we have made your personal data public and we are obliged to erase it pursuant to Art. 17 (1) of the GDPR, we shall take reasonable steps, taking into account the available technology and the cost of implementation, to inform the data controller that you have requested from him/her the erasure of all links to, copies of, or replications of such personal data.
Your right to erasure does not apply to the extent that the processing is necessary
- to exercise the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing under Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- for reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to in (1) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
- for the assertion, exercise or defence of legal claims.
Right to information
If you have asserted your right to rectification, erasure or restriction of processing against us, we are obliged to inform all recipients to whom your personal data has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right against us to have us inform you of these recipients.
Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is carried out on the basis of Art. 6 (1) (e) s.1 or Art. 6 (1) (f) GDPR; this also applies to profiling based on these provisions.
We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to any associated profiling.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications. Pursuant to Art. 57 (1) (f) of the GDPR, you may exercise your right to lodge a complaint with the competent supervisory authority at any time.
Automated decision in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. We do not carry out such processing.
Responsibility for linked content
On our website we may also use links to websites of other providers. In this respect, this data protection declaration does not apply. Should personal data be collected, processed or used when using the websites of these other providers, please refer to the data protection information of the respective providers. We are not responsible for their data protection practices.
Changes to our privacy policy
We reserve the right to adapt this data protection declaration from time to time so that it always complies with the current legal requirements or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection declaration will then apply to your next visit.