Data Protection Notice in accordance with the EU General Data Protection Regulation of the Society for Congenital Metabolic Disorders e.V. (GfAS)
valid for members, customers, and interested parties
of the Society for Congenital Metabolic Disorders e.V. (GfAS)
As of: January 2021
With the following information, we provide you with an overview of the processing of your personal data by us in accordance with Art. 13 & 14 GDPR and your rights under data protection law. Which data are processed in detail and how they are used depends significantly on the agreed purposes, which primarily include membership in the GfAS, participation in our events, or involvement in GfAS projects.
1. Who is responsible for data processing and whom can I contact?
The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the member states of the European Union, and other provisions of a data protection nature is:
Society for Congenital Metabolic Disorders e.V. (GfAS)
Registered office with the Treasurer and Secretary,
Prof. Dr. P. Freisinger,
Department of Pediatrics and Adolescent Medicine
Klinikum am Steinenberg,
Steinenbergstraße 31
72764 Reutlingen, Germany
Tel.: +49 7121 200-4050
Contact: gfas@studio12.co.at Website: https://www.gfas.de
The data protection officer of the association is the aforementioned secretary.
Any data subject may contact our data protection officer directly at any time with all questions and suggestions regarding data protection.
2. What sources and data do we use?
We process personal data of our members, event customers, as well as interested parties and project participants who voluntarily provide us with their data. In addition, we process personal data that we have researched online on publicly accessible websites of the respective hospitals and other institutions within the framework of projects to promote the work of the Society for Congenital Metabolic Disorders e.V. (GfAS).
Relevant personal data in the context of projects and for event participants are, conclusively: Name, First Name, Title, Business Address, Contact Details (Email, Phone, Fax), Gender.
When applying for membership in the GfAS, the employer, educational background, and bank details for the direct debit procedure are additionally stored and processed.
Within the framework of certain time-limited projects such as continuing education events or new member recruitment campaigns, GfAS researches personal data exclusively on publicly accessible websites of hospitals, medical practices, or other institutions. The data available there are collected by us within the scope of our projects for the purpose of making contact and under a balancing of interests (Art. 6 para. 1 lit. f) GDPR) (for more details, see point 3).
3. For what purpose do we process your data (purpose of processing) and on what legal basis?
We process the aforementioned personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG, or new BDSG):
a) for the fulfillment of contractual obligations (Article 6 para. 1 lit. b) GDPR)
The processing of personal data takes place to safeguard the rights and obligations of our members, such as the payment of membership fees, participation in our annual congress, or regular contact via mail and email regarding current topics from the association and the field of pediatric metabolic disorders. Furthermore, the processing of personal data of our event participants takes place for the smooth running and assignment of persons on site, any informative contact in advance, and the verification of incoming payments.
b) Within the framework of balancing interests (Article 6 para. 1 lit. f) GDPR)
Where necessary, we process your data beyond the actual fulfillment of the contract to safeguard our legitimate interests:
- Information emails via mail or email regarding current continuing education events or other projects of the GfAS and the institution commissioned by it for conference organization
- Advertising via mail and email for membership in the GfAS
- Manual creation of business addresses / email addresses of certain experts that are necessary for initial contact and correspondence within the framework of our continuing education offers or special projects of the GfAS
Given the non-sensitive and publicly accessible data of the data subjects, we are of the opinion that the use of the data for the aforementioned points is legitimate. Furthermore, the interest of the recipients in such content is likely to be high, as all doctors are obliged to regularly attend such events as part of the continuing education regulations.
c) Based on your consent (Article 6 para. 1 lit. a) GDPR)
Insofar as you have given us consent to process personal data for specific purposes, the lawfulness of this processing is given on the basis of your consent. Granted consent can be revoked at any time. This also applies to the revocation of declarations of consent issued before the GDPR came into force on May 25, 2018. Services that we only provide with consent are:
- for event participants: The sending of information mailings regarding GfAS events or third parties
- for members: The sending of information mailings regarding events of GfAS cooperation partners
4. Who receives my data?
Within our professional society, those employees who require access to your data for the fulfillment of our contractual and legal obligations receive it. Service providers and vicarious agents employed by us may also receive data for these purposes, provided they comply with data protection instructions.
These so-called data processors include, among others: Employees of Fa studio12, Innsbruck (conference organization, sponsorship management, GfAS society secretariat), Springer Verlag, Heidelberg
5. Are data transferred to a third country or an international organization?
GfAS does not transfer your personal data to countries outside the EU or the EEA (so-called third countries).
A transfer of anonymized user data to the USA takes place within the framework of the website analysis software Google Analytics.
6. How long will my data be stored?
We process and store your personal data for as long as it is necessary for the fulfillment of our contractual and legal obligations. If the data are no longer required for the fulfillment of contractual or legal obligations, they are regularly deleted. We distinguish between three groups of data subjects:
Membership data: We process and store your personal data for as long as it is necessary for the fulfillment of our contractual and legal obligations. Membership data are retained for ten years from the date of the last invoice after the withdrawal becomes effective (usually on January 1 of the year following the termination) to comply with the legal requirements of § 257 para. 1 no. 1 and 4 HGB. Since invoice documents are electronically assigned to the respective master data record with us, the corresponding data record must also be retained for 10 years.
Seminar participants: We process and store your personal data for as long as it is necessary for the fulfillment of our contractual and legal obligations. Participant master data are stored for ten years from the date of the last invoice to comply with the legal requirements of § 257 para. 1 no. 1 and 4 HGB. Since invoice documents are electronically assigned to the respective master data record with us, the corresponding data record must also be retained for 10 years.
Project-related personal data: GfAS understands project-related personal data as personal data records that are voluntarily submitted by the project participants themselves within the framework of a specific project or researched on publicly accessible hospital websites and manually created. These data are deleted three years after the project’s completion. In this way, GfAS aims to ensure that a new edition or follow-up in completed projects is still possible. Since these projects always deal with questions concerning pediatric metabolic disorders, we are of the opinion that the extended storage is also in the interest of the data subject and, secondly, that the legitimate interests of GfAS (networking) according to Art. 6 para. 1 lit. f) GDPR outweigh those of the data subject (protection of their own data). Data records of this type will, of course, be deleted at any time upon request.
7. What data protection rights do I have?
Every data subject has the right to information according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right to erasure according to Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR, the right to object according to Article 21 GDPR, and the right to data portability according to Article 20 GDPR. For the right to information and the right to erasure, the restrictions according to §§ 34 and 35 BDSG apply. Furthermore, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).
You can revoke any consent given for the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us before the EU General Data Protection Regulation came into force, i.e., before May 25, 2018.
Please note that the revocation is only effective for the future. Processing operations that took place before the revocation are not affected by it.
8. Am I obliged to provide data?
Within the framework of membership or our business relationship, you must provide the personal data that are necessary for the establishment and execution of a business relationship and the fulfillment of the associated contractual obligations, or which we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or execute the order, or we will no longer be able to carry out an existing contract and may have to terminate it.
9. To what extent is there automated decision-making (including profiling)?
As a matter of principle, we do not use fully automated decision-making in accordance with Article 22 GDPR for the establishment and execution of the business relationship.
