Data protection

Name and address of the data controller

Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) is responsible for its websites within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations. It is legally represented by its President. For contact details, please consult the legal notice on FAU’s central website.

The respective FAU institutions are responsible for any content they make available on the websites of Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU). For questions related to specific content, please contact the person responsible as named in the legal notice on the respective web page.

Faculty of Medicine of Friedrich-Alexander-Universität Erlangen Nürnberg
Krankenhausstr. 12
91054 Erlangen
Telephone: +49 9131 85-29381
Fax: +49 9131 23704
E-Mail: med-redaktion@fau.de
Website: www.med.fau.eu

Name and address of the Data Protection Officer

Norbert Gärtner, RD
Schloßplatz 4
91054 Erlangen
Tel.: +49 9131 85-25860
E-Mail: norbert.gaertner@fau.de
Allgemeine E-Mail: datenschutzbeauftragter@fau.de

E-mail: datenschutzbeauftragter@fau.de

General information on data processing

Scope of processing of personal data

We only process our users’ personal data to the extent necessary to provide services, content and a functional website. As a rule, personal data are only processed after the user gives their consent. An exception applies in those cases where it is impractical to obtain the user’s prior consent and the processing of such data is permitted by law.

Legal basis for the processing of personal data

Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) forms the legal basis for us to obtain the consent of a data subject for their personal data to be processed.
When processing personal data required for the performance of a contract in which the contractual party is the data subject, Art. 6 (1) (b) GDPR forms the legal basis. This also applies if data has to be processed in order to carry out pre-contractual activities.
Art. 6 (1) (c) GDPR forms the legal basis if personal data has to be processed in order to fulfil a legal obligation on the part of our organisation.
Art. 6 (1) (d) GDPR forms the legal basis in the case that vital interests of the data subject or another natural person make the processing of personal data necessary.
If data processing is necessary in order to protect the legitimate interests of our organisation or of a third party and if the interests, basic rights and fundamental freedoms of the data subject do not outweigh the interests mentioned above, Art. 6 (1) (f) GDPR forms the legal basis for such data processing.

Deletion of data and storage period

The personal data of the data subject are deleted or blocked as soon as the reason for storing them ceases to exist. Storage beyond this time period may occur if provided for by European or national legislators in directives under Union legislation, laws or other regulations to which the data controller is subject. Such data are also blocked or deleted if a storage period prescribed by one of the above-named rules expires, unless further storage of the data is necessary for entering into or performing a contract.

Provision of the website and generation of log files

Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the user’s computer system.
In this context, the following data are collected:

  • Address (URL) of the website from which the file was requested
  • Name of the retrieved file
  • Date and time of the request
  • Data volume transmitted
  • Access status (file transferred, file not found, etc.)
  • Description of the type of web browser and/or operating system used
  • Anonymised IP address of the requesting computer

The data stored are required exclusively for technical or statistical purposes; no comparison with other data or disclosure to third parties occurs, not even in part. The data are stored in our system’s log files. This is not the case for the user’s IP addresses or other data that make it possible to assign the data to a specific user: before data are stored, each dataset is anonymised by changing the IP address. These data are not stored together with other personal data .

Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.

Purpose of data processing

The temporary storage of the IP address by the system is necessary in order to deliver the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
The storage of such data in log files takes place in order to ensure the website’s functionality. These data also serve to help us optimise the website and ensure that our IT systems are secure. They are not evaluated for marketing purposes in this respect.
The purposes stated above constitute our legitimate interests in processing data in accordance with Art. 6 (1) (f) GDPR.

Storage period

Data are deleted as soon as they are no longer necessary for fulfilling the purpose for which they were collected. If data have been collected for the purpose of providing the website, they are deleted at the end of the respective session.
If data are stored in log files, they are deleted at the latest after seven days. A longer storage period is possible. In this case, the users’ IP addresses are deleted or masked so that they can no longer be assigned to the client accessing the website.

Options for filing an objection or requesting removal

The collection of data for the purpose of providing the website and the storage of such data in log files is essential to the website’s operation. As a consequence, the user has no possibility to object.

Use of cookies

Description and scope of data processing

Our website uses cookies. Cookies are text files that are saved in the user’s web browser or by the web browser on the user’s computer system. When a user accesses a website, a cookie can be stored in the user’s operating system. This cookie contains a character string that allows the unique identification of the browser when the website is accessed again.

We use cookies to make our website more user-friendly. Some parts of our website require that the requesting browser can also be identified after changing pages.
During this process, the following data are stored in the cookies and transmitted:

  • Log-in information (only in the case of protected information that is made available exclusively to FAU members)
  • Search preferences (from October 2018)

Technical measures are taken to pseudonymise user data collected in this way. This means that the data can no longer be assigned to the user. The data are not stored together with other personal data of the user.
When accessing our website, a banner informs users that cookies are used for analysis purposes and makes reference to this data protection policy. In connection with this, users are also instructed how they can block the storage of cookies in their browser settings.

Legal basis for data processing

The legal basis for the processing of personal data with the use of cookies is Art. 6 (1) (f) GDPR.

Purpose of data processing

Analysis cookies are used for the purpose of improving the quality of our website and its content. We learn through the analysis cookies how the website is used and in this way can continuously optimise our web presence.
These purposes also constitute our legitimate interests in the processing of personal data in accordance with Art. 6 (1) (f) GDPR.

Storage period, options for filing an objection or requesting removal

As cookies are stored on the user’s computer and are transmitted from it to our website, users have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that are already stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may be the case that not all of the website’s functions can be used in full.

Newsletters

Description and scope of data processing

You can subscribe to free newsletters via our website. When you register for a newsletter, the data from the input form are transmitted to us.
In the course of the registration process, we request your consent for the processing of your personal data and draw your attention to this data protection policy.
No data are disclosed to third parties in connection with data processing for the dispatch of newsletters. Such data are used exclusively for dispatching and improving our newsletters.

Legal basis for data processing

Once the user has granted consent, the legal basis for data processing following the user’s registration for a newsletter is Art. 6 (1) (a) GDPR.

Purpose of data processing

The user’s e-mail address is needed to deliver the newsletter.

Storage period

Data are deleted as soon as they are no longer necessary for fulfilling the purpose for which they were collected. Accordingly, users’ email addresses are stored for as long as they subscribe to the newsletter.

Options for filing an objection or requesting removal

Users can cancel their newsletter subscriptions at any time. Each newsletter contains a link for this purpose.

Contact form and contact by e-mail

Description and scope of data processing

Contact forms are available on our website that can be used to contact us electronically. If a user makes use of this possibility, the data they enter in the input form are transmitted to us and stored.
The contact forms list and explain which data is required. The contact forms indicate if there are any deviations from or additions to the principles, purpose and duration of storage as presented here.

Legal basis for data processing

Once the user has granted consent, the legal basis for data processing is Art. 6 (1) (a) GDPR.

The legal basis for the processing of data transmitted by e-mail is Art. 6 (1) (f) GDPR. If the purpose of the e-mail contact is to enter into a contract, the additional legal basis for data processing is Art. 6 (1) (b) GDPR.

Purpose of data processing

The personal data from the input form are processed solely for the purpose of contacting the user. If the user contacts us by e-mail, this also constitutes our legitimate interests in processing the data.
All other personal data processed during the dispatch of an e-mail serve to prevent misuse of the contact form and to ensure that our IT systems are secure.

Storage period

Data are deleted as soon as they are no longer necessary for fulfilling the purpose for which they were collected. This is the case for the personal data from the input template of the contact form and those data sent by e-mail when the respective conversation with the user has ended. The conversation is regarded to have ended when it can be seen from the circumstances that the subject matter in question has been conclusively settled.

Options for filing an objection or requesting removal

Users can withdraw their consent for the processing of their personal data at any time. If the user contacts us by email, they may withdraw their consent for the storage of their personal data at any time. In such cases, the conversation cannot continue
and all personal data which were stored when contact was made are deleted.

Registration forms

Description and scope of data processing

You can register for seminars, events and courses via the forms available on our website. When you register, the data from the input form are transmitted to us.
In the course of the registration process, we request your consent for the processing of your personal data and draw your attention to this data protection policy.
No data are disclosed to third parties in connection with the data processing required for this purpose. Data are used exclusively for administration purposes related to seminars, courses and events.

Legal basis for data processing

Once the user has issued their consent, the legal basis for data processing following the user’s registration for a seminar, course or event is Art. 6 (1) (a) GDPR.

Purpose of data processing

The processing of personal data from the input form is solely for the purpose of allowing us to process the user’s registration for a seminar, course or event. If the user contacts us by e-mail, this also constitutes our legitimate interests in processing the data.
All other personal data processed during the dispatch of an e-mail serve to prevent misuse of the contact form and to ensure that our IT systems are secure.

Storage period

Data are deleted as soon as they are no longer necessary for fulfilling the purpose for which they were collected.

Options for filing an objection or requesting removal

The user can withdraw their consent for the processing of their personal data at any time. If the user contacts us by email, they may withdraw their consent for the storage of their personal data at any time. In such cases, the conversation cannot continue
and all personal data which were stored when contact was made are deleted.

Usage of Siteimprove Analytics

Description and scope of data processing

This website uses Siteimprove Analytics, a web analytics service provided by Siteimprove. Siteimprove Analytics uses „cookies“, which are text files placed on your computer, to help the FAU analyze how visitors use the site. The information generated by the cookies about the visitors’ use of the website will be stored and processed by Siteimprove on servers in Denmark.

IP addresses are anonymized irreversibly before data is made available in the Siteimprove Analytics or Intelligence Suite for the FAU.

The FAU will use this information for evaluating the visitors’ use of the website, compiling reports on website activity, and ultimately for improving the website experience for its visitors. Siteimprove will not transmit this information to third parties or use it for any marketing or advertising purposes.

These are the cookies used by Siteimprove on this website:

  • Cookie name: nmstat
    • Type: Persistent – expires after 1000 days
    • About: This cookie is used to help record visitors’ use of the website. It is used to collect statistics about site usage such as when the visitor last visited the site. The cookie contains no personal information and is used only for web analytics.
  • Cookie name: siteimproveses
    • Type: Session cookie
    • About: This cookie is used purely to track the sequence of pages a visitor looks at during a visit to the site.

By using this website, the visitor consents to the processing of data about him/her by Siteimprove in the manner and for the purposes set out above.

Legal basis for the processing of personal data

The legal basis for the processing of personal data using cookies is Art. 6 (1) (e) GDPR in relation with Art. 4 BayDSG, especially the specification under § 15 (3) TMG and Art. 10 BayHSchG.

Possibilities of objection and deletion

You can prevent the collection of your data by Siteimprove Analytics by clicking the following link. An Opt-Out-Cookie will be set that will prevent future collection of your data when visiting this website:

Google Custom Search Engine

Out websites allows the use of the Google Search Engine. The search query will be performed using the Google Custom Search Engine API. No user data will be transmitted by this requests.

SSL encryption

Our website uses SSL encryption for security reasons and to protect the transmission of confidential information, for example enquiries you send to us as operators of the website. You can recognise an encrypted connection when the browser’s address line changes from ‘http://’ to ‘https://’ and a padlock appears in your web browser.

If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

Rights of the data subject

If any of your personal data are processed, you are considered a data subject within the meaning of the GDPR and have the following rights:

Right to information

You have the right to obtain confirmation from the data controller as to whether or not we are processing personal data that concern you.
If your data are being processed, you have the right to request the following from the data controller:

  1. The purposes for which your personal data are processed
  2. The categories of personal data processed
  3. The recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed
  4. The planned storage period for the personal data concerning you or, if details cannot be provided, the criteria used to determine the storage period
  5. The right to rectification or erasure of the personal data concerning you, a right to limitation of processing by the data controller or a right to object to such processing
  6. The right to lodge a complaint with a supervisory authority
  7. All available information on the source of the data if the personal data are not collected from the data subject
  8. Information on automated decision-making processes, including profiling, in accordance
    with Art. 22 (1) and (4) GDPR and – at least in these cases – authoritative information on

the logic involved as well as the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you are transmitted to a third country or to an international organisation. In this context, you can request that you are informed of the appropriate safeguards in accordance with Art. 46 GDPR in connection with the transmission of such data.

This right to information can be restricted if granting a right to information is likely to render impossible or seriously impair the research or statistical purposes for which the data is required and restricting the right to information is necessary to achieve the required research or statistical purposes.

Right to rectification

You have the right to obtain from the data controller the rectification and/or completion of personal data concerning you if the data processed are inaccurate or incomplete. The data controller must rectify such data without delay.

Your right to rectification can be restricted insofar as it is likely to render impossible or seriously impair the research or statistical purposes for which the data is required and restricting the right to rectification is necessary for achieving the required research or statistical purposes.

Right to restriction of processing

You may request that the processing of personal data concerning you is restricted in the event that one of the following applies:

  1. You contest the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of such personal data
  2. The processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use.
  3. The data controller no longer requires the personal data for the purposes of processing, but you need them in order to assert, exercise or defend legal claims.
  4. You have objected to processing in accordance with Art. 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the data controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, whilst such data may be stored, they may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or for protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, the data controller will inform you before the restriction is lifted.

Your right to restriction of processing can be restricted insofar as it is likely to render impossible or seriously impair the research or statistical purposes for which the data is required and this restriction is necessary for achieving the required research or statistical purposes.

Right to erasure

Duty to erase

You may request that the data controller erase without delay personal data concerning you and the data controller is obliged to erase these data without delay in the event that one of the following applies:

  1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You withdraw your consent on which the processing was based in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and there is no other legal basis for the processing.
  3. You object to the processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing or you object to the processing in accordance with Art. 21 (2) GDPR.
  4. The personal data concerning you have been processed unlawfully.
  5. The erasure of personal data concerning you is necessary to fulfil a legal obligation under Union or Member State law to which the data controller is subject.
  6. The personal data concerning you have been collected in relation to information society services in accordance with Art. 8 (1) GDPR.

Obligation to inform third parties

If the data controller has made the personal data concerning you public and is obliged to erase them in accordance with Art. 17 (1) GDPR, he or she will take reasonable steps, including technical measures and taking into account the available technology and the cost of implementation, to inform data controllers responsible for processing such personal data that you as data subject have requested the erasure by such controllers of any links to, or copy or replication of, these personal data.

Exceptions

The right to erasure does not apply insofar as the processing is necessary:

  1. To exercise the right to freedom of expression and information
  2. To fulfil a legal obligation which requires processing in accordance with Union or Member State law to which the data controller is subject or for the performance of a task in the public interest or in the exercise of official authority vested in the data controller
  3. For reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR
  4. For archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR insofar as the right referred to in the section on ‘Duty to erase’ is likely to render impossible or seriously impair the achievement of the objectives of such processing.
  5. For asserting, exercising or defending legal claims

Right to notification

If you have exercised your right to have the data controller rectify, erase or restrict the processing of personal data concerning you, he or she is obliged to inform all recipients to whom such data have been disclosed of their rectification or erasure or of the restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to be informed of these recipients.

Right to data portability

You have the right to receive the personal data concerning you that you have made available to the data controller in a structured, common and machine-readable format. You also have the right to pass these data to another data controller without hindrance from the data controller to whom they were made available provided that:

  1. The processing is based on consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR.
  2. The processing takes place with the help of automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one data controller to another insofar as this is technically feasible. This must not compromise the freedoms and rights of other persons.
The right to data portability does not apply for the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the data controller.

Right to object

You have the right, on grounds arising out of your particular situation, to object at any time to the processing of personal data concerning you that occurs on the basis of Art. 6 (1) (e) or (f) GDPR; this also applies for profiling activities undertaken on the basis of these provisions.
The data controller shall no longer process the personal data concerning you, unless he or she produces compelling and legitimate reasons for such processing which outweigh your interests, rights and freedoms or such processing is necessary for asserting, exercising or defending legal claims.
If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is undertaken in connection with such direct marketing activities.
If you object to data processing for direct marketing purposes, the personal data concerning you are no longer processed for such purposes.
In connection with the use of information society services and notwithstanding Directive 2002/58/EG, you may exercise your right to object by automated means using technical specifications.

You also have the right, on grounds arising out of your particular situation, to object to the processing of personal data concerning you that occurs for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR.
Your right to object can be restricted insofar as it is likely to render the achievement of research and statistical purposes impossible or seriously impair such purposes and this restriction is necessary for achieving such research or statistical purposes.

Right to withdraw a declaration of consent concerning data protection

You have the right to withdraw your declaration of consent concerning data protection at any time. Withdrawing your consent does not affect the lawfulness of data processing based on your consent before its withdrawal.

Automated decisions in individual cases, including profiling

You have the right not to be made subject to a decision based exclusively on automated data processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar way. This does not apply if the decision is:

  1. Necessary for entering into or performing a contract between you and the data controller
  2. Authorised by Union or Member State law to which the data controller is subject and which contains suitable measures to safeguard your rights and freedoms as well as your legitimate interests
  3. Based on your explicit consent

However, such decisions may not be based on special categories of personal data in accordance with Art. 9 (1) GDPR unless Art. 9 (2) (a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms as well as your legitimate interests have been taken.
With regard to the circumstances referred to in (1) and (3), the data controller shall take suitable measures to safeguard your rights and freedoms as well as your legitimate interests, which include at least the right to obtain human intervention on the part of the data controller, to express your point of view and to contest the decision.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.