The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States of the European Union as well as other data protection regulations is:
1. Extent of processing of personal data
We only process the personal data of our users when it is necessary so that we can offer content and services to our users. We primarily utilise consent as the legal basis for processing of personal data. In certain circumstances however, clearly indicated below, alternate legal bases will be used.
GHGA involves a number of institutions across Germany who work closely together. It is necessary to share certain personal data with these institutions in order to operate our services. These institutions are considered to be joint-controllers of the data. A list of institutions that may receive your data is included below. Legally, GHGA is usually represented by DKFZ.
2. Legal basis for the processing of personal data
When we receive consent from you for the processing of your personal data, Article 6 (1) lit. a) GDPR serves as the legal basis.
If you agree to a contract with DKFZ, it will be necessary to process your personal data in order for GHGA to fulfil that contract. For example, if you wish to deposit Research Data with GHGA. The legal basis for that processing is Article 6 (1) lit. b) GDPR.
If DKFZ is required to process your personal data due to a legal obligation to which we are subject, the legal basis will be Article 6 (1) lit. c) GDPR.
When the processing of your personal data is required for the purposes of legitimate interests pursued by DKFZ or an institution which is part of GHGA, the legal basis is Article 6 (1) lit. f) GDPR.
3. Erasure of data and retention duration
Your personal data will be deleted when it is no longer required for its intended purpose. This may vary depending on the reason why it has been collected. GHGA operates a Data Deletion Concept to ensure that personal data are not stored beyond any legal retention periods.
The duration of storage for each data type is described below. You may have the legal right to request the deletion of your data prior to the planned retention period, please see the ‘Your rights’ section.
1. Description and scope of data processing
Each time the GHGA website is accessed, our system automatically records data and information about the device used to access the site. This is stored as data and log files.
The following data are collected:
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6 (1) lit. f) GDPR.
3. Purpose of data processing
It is necessary for us to temporarily store IP addresses on our system so that we can ensure the delivery of our website to visitors’ devices. For this purpose, your IP address must be stored whilst you are visiting our website.
Primarily the data collected are stored in log files which are used to ensure the functionality of our website. In addition, the data may also be used to support the security of our system. We do not use your data collected when you are using our website for marketing purposes.
As we have a legitimate interest to operate our website for you, we use Article 6 (1) lit. f) GDPR as the legal basis for processing.
4. Duration of storage
The data will be deleted when they are no longer necessary for the intended purpose for which they have been collected. The data that are collected for the provision of the Website, are deleted as soon as the session is completed.
The data stored in log files are usually deleted no later than seven days after the end of the session. In exceptional circumstances, the data may be stored for a longer time, for example for system security purposes. In such cases, your IP addresses are deleted or modified so that you cannot be identified.
5. Options for objection and removal
These data must be collected to ensure the functioning of our website and they must be stored in log files in order to make our website available to you. Consequently, we cannot offer you the right to object to processing in this case.
1. Description and scope of data processing
Our website uses cookies. Cookies are small data files that are placed on a website visitor’s device by their browser. Cookies are typically used to store information that is needed to support the functionality of the website.
We use cookies to ensure our site is user-friendly. Some elements of our website call for the browser to be identified even after switching pages.
2. Legal basis for data processing
The legal basis for the processing of your personal data with the use of cookies is Article 6 (1) lit. f) GDPR.
3. Purpose of data processing
We use cookies for three distinct purposes.
(1) Required Cookies
Required cookies support the functionality of the GHGA website. They are created by the Typo3 system that the website uses.
(2) Website Analytics
Statistical cookies are used for the purpose of improving the quality of our website and its contents. These cookies enable us to learn how the GHGA website is used so that we can continually improve our service. For example, we may wish to understand how long it takes for visitors to find the information they require so that we can optimise the structure of the GHGA website.
The statistical cookies can recognise which internet browser you are using and a profile about the ways in which you use our website. However, your IP address is anonymised immediately by shortening it so that we only know from which region you are accessing our website. We can therefore understand how you use the GHGA website, but we have no way to link that information back to you.
In order to collect this information we are using third-party cookies provided by Matomo. The information collected by the analysis cookies is transferred to a server operated by GHGA.
(3) Youtube
Content hosted by video platforms will be disabled automatically on the GHGA website. To see content from external sources, you need to enable the YouTube cookies in the Cookie Settings.
Detailed information on the YouTube plugin used and the data transferred to YouTube can be found below in section “Plugins and tools”.
As we have a legitimate interest to operate our website for you, we use Article 6 (1) lit. f) GDPR as the legal basis for processing.
4. Duration of storage, options for objection and removal
The cookies produced are stored on your device and transmitted to our website. Therefore, you have full control of where the cookies are stored. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Previously stored cookies can be deleted from your device at any time. It may also be possible to do so automatically.
You can update your preferences for the GHGA website by clicking on Cookie Settings. From there you can accept or reject the use of cookies by their purpose. Rejecting cookies may limit the functionality of the GHGA website.
1. Description and scope of data processing
In order to subscribe to the GHGA Newsletter, you will be asked to provide personal data via a submission form.
The registration for our newsletter takes place via a so-called double opt-in procedure. That means, you will receive an email after registration in which you will be asked to confirm your registration. This confirmation is necessary so that no one can register with someone else’s email address. When initially registering for the newsletter, your IP address, and the date and time of registration are stored. This helps prevent the misuse of the services or your email address. The data is used exclusively for sending you our newsletter.
We use rapidmail to send the GHGA newsletter.
2. Legal basis for data processing
The legal basis for the processing of your personal data to subscribe to the newsletter is Article 6 para. 1 lit. a) DSGVO.
3. Purpose of data processing
Use of rapidmail:
rapidmail is provided by rapidmail GmbH, Wentzingerstraße, 21, 79106 Freiburg, Germany. The information that you provide via the submission form is stored on their servers in Germany.
We use rapidmail to organise the sending of the GHGA newsletter. In addition, rapidmail enables us to understand whether the newsletter has been opened, and whether any links have been clicked on. To do so, emails sent by rapidmail contain a tracking pixel which connects to their servers when the email is opened and the links in the newsletter are tracking-links. This information enables us to understand how recipients engage with our newsletter, and what content they find to be most interesting and relevant.
The legal basis for the processing of the personal data used to manage subscriptions to the GHGA newsletter is consent, Article 6 para. 1 lit. a) DSGVO. The legal basis for sending the newsletter is described in Section 7 (3) UWG.
4. Duration of storage
You can cancel your subscription to the GHGA newsletter at any time. We include links on how to do so in every newsletter. You can also unsubscribe via the GHGA website. The personal data collected from you for this purpose will be deleted. Data collected from you for other purposes will not be affected if you choose to unsubscribe from the GHGA newsletter.
If you do not wish for your data to be processed by rapidmail, you must unsubscribe to the newsletter. You can access a copy of the GHGA newsletter from our website without subscribing.
1. Description and scope of data processing
The GHGA website includes contact forms if you wish to contact us. If you decide to contact us using the forms, the data you provide is sent to us and stored within a Zammad helpdesk system managed by DKFZ.
The following email addresses are also rerouted to the Zammad Helpdesk:
The contact forms requests the following information from you: the reason for contacting us, your name, your email address, and your message to us. The time and date of your message is also stored. Your message may also include any other personal data you choose to include.
You will be asked to confirm that you have read and understood this privacy policy before contacting us via the form.
Zammad helpdesk system
We use the Zammad helpdesk system provided by Zammad GmbH, Marienstraße 11 in 10117 Berlin. The use of a helpdesk system ensures that we can respond to enquiries and requests effectively and in an appropriate time.
Zammad only uses the data for the technical processing of the enquiries and requests and does not pass them on to other third parties. In the course of processing enquiries and requests, it may be necessary for us to request further data from you.
When submitting using the contact form, Zammad creates a ticket regarding your enquiry or request and a user profile using the provided first name, surname, and email address, if this does not already exist. All messages that you send to us are automatically assigned to your user profile. You have the option to create an account with Zammad as part of the process to directly view and manage your own enquiries and requests.
2. Legal basis for data processing
The legal basis for the processing of the data that are sent to the Zammad helpdesk is Article 6 (1) lit. f) GDPR. GHGA has a legitimate interest to process this data to ensure the functionality and security of our data infrastructure for users in the event of problems, malfunctions, and failures. The processing is also in the interest of our users, as they are supported as users in case of technical questions and problems.
If you enter into a contract with DKFZ, then the legal basis for the processing of your communications with us is Article 6 (1) lit. b) GDPR.
3. Purpose of data processing
The personal data you submit to us via a contact form is used to create a helpdesk ticket through which we can communicate with you and provide support to you. The other data processed during the transmission of the contact form are used to prevent misuse of the contact form to ensure the security of our helpdesk system.
4. Duration of storage
While we aim to resolve your problems quickly, the tickets and the information that they contain provided by you will be stored for a longer period, in case you have any follow-up questions.
Tickets which are processed under Article 6 (1) lit. f) will be deleted no later than 5 years after the issue to which they relate has been resolved. Doing so will only delete the information in that particular ticket, and so if you have opened multiple tickets, we may still continue to store personal data about you.
Tickets which are processed under Article 6 (1) lit. b) will be stored until such time that the Research Data and Personal Metadata that they refer to is no longer archived by GHGA. Due to the sensitive nature of the Research Data and Personal Metadata, it is necessary to retain a record of all instructions we have received that relate to their processing.
5. Options for objection and removal
You have the right to request the erasure of data we hold about you under certain conditions. You may also object to our processing of data about you. Please see the section ‘Your rights’ for more information.
1. Description and scope of data processing
Life Science Login (LS Login) is an Authentication service from EOSC-Life. It enables researchers to use their home institutional credentials to access services. At GHGA, LS Login is used to access the GHGA Data Portal when a user wishes to request access to data or download data they have been approved to access. In the future, it will also be necessary for users who wish to submit data to GHGA to login into the GHGA Data Portal. Data regarding persons approved to act is stored in the de.NBI Cloud hosted by the DKFZ. This is a secure cloud infrastructure with strict access controls in place.
2. Legal basis for data processing
The legal basis for the processing of data for LS Login is Article 6 (1) lit. f) GDPR. GHGA has a legitimate interest to process this data to ensure the functionality and security of our data infrastructure for users.
3. Purpose of data processing
These data are processed in order to identify you when you request access to the GHGA Data Portal. This enables us to ensure that Research Data and Personal Metadata are only accessed by approved researchers. It is also necessary for us to ascertain that instructions relating to the processing of Research Data and Personal Metadata are issued by authorised persons.
4. Duration of storage
Due to the sensitive nature of the Research Data and Personal Metadata, it is necessary to store information about who has accessed it, or instructed GHGA Central act, whilst it is stored within the GHGA Data Infrastructure. Data related to persons who accessed Research Data and Personal Metadata, or instructed GHGA Central, shall be deleted 6 years after the Research Data and Personal Metadata has been removed from the GHGA Data Infrastructure.
5. Options for objection and removal
It is necessary to process your information through LS Login in order to identify and authorise you on our systems. This is essential when you wish to access Research Data and Personal Metadata or to enable you to instruct us to process Research Data and Personal Metadata. Consequently, we cannot offer you the right to object to processing in this case.
YouTube
YouTube is an Internet video portal that allows video publishers to post video clips free of charge and for other users to view, rate, and comment about the videos, also free of charge. It is operated by Google. In the European Economic Area (EEA) and Switzerland, YouTube services are offered by Google Ireland Limited, registered and operated under Irish law (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland.
The GHGA website uses plugins as a service from YouTube so that we can embed videos on our website. When you visit one of our pages that contains an embedded YouTube video, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you are visiting. The videos have been embedded using a privacy-enhanced mode which means that any videos you view via our website will not be used to personalise your YouTube experience or will it impact adverts that you see (for more information, see support.google.com/youtube/answer/171780).
We use YouTube as a platform to share presentations, talks, and other such events which may be of interest to the users of GHGA. This represents a legitimate interest within the meaning of Article 6 para. 1 lit. f GDPR for GHGA. For more information on the handling of user data, please refer to YouTube's privacy policy at: www.google.de/intl/de/policies/privacy.
Social media platforms
GHGA has a presence on social media platforms such as LinkedIn and Twitter. Anyone who registers with social media platforms and uses their functions to interact with GHGA there (such as by commenting, communicating, liking or sharing posts) leaves data behind in the process. It is possible that this data is stored, evaluated, and processed by the social media platform, for example to analyse user behaviour.
GHGA has no influence upon the data protection policies of these social media platforms. For more information about the data they processed and your rights please see their respective privacy policies:
You can access the content GHGA posts on social media platforms directly from our website without registering for the platforms. You may find that some functionality is missing without registration.
In order to make the GHGA website more attractive and user-friendly, we integrate content directly from selected social media platforms (YouTube and Twitter) into certain pages. We use cookies to do so. You can deactivate these cookies by going to Cookie Settings on our website. The content that relies on the deactivated cookies will not be displayed.
Podigee Podcast-Hosting
GHGA hosts a regular podcast, Der Code Des Lebens, about genome research.
To do so, we use the Podigee podcast hosting service from the provider Podigee GmbH, Schlesische Straße 20, 10997 Berlin, Germany. The podcasts are downloaded or streamed from Podigee. Podigee processes your IP address and device information to enable the downloading or playback of podcasts and to collect statistical data to determine, for example, the total number of downloads. Your IP address is only required whilst Podigee is running. Statistical information is stored in an anonymised form by Podigee.
Further information about the processing and your options to object can be found in Podigee's data protection declaration: https://www.podigee.com/en/about/privacy.
The use of Podigee is based on a legitimate interest for GHGA to ensure a secure and efficient provision of our podcast and for us to be able to analyse and optimise its impact. The legal basis for processing this data is that GHGA has a legitimate interest within the meaning of Article 6 para. 1 lit. f GDPR.
Shinyapps.io
Our Legacy Consent Toolkit app is hosted at shinyapps.io which is provided by RStudio, 250 Northern Ave, Boston, MA 02210, USA. The app generates a log of the R console messages that would normally be seen if running the app code within RStudio.
The log does not contain any personal information about you such as your IP address or location; it is only generated to support bug-fixing. The log is automatically deleted after 1 week.
The following institutions are involved in GHGA and are joint-controllers of the data described in this policy:
As soon as your personal data are processed, you assume the role of the data subject as pursuant to GDPR and are therefore granted the rights vis-à-vis the data controllers listed above. Please contact the Data Protection Officer listed under ‘Name and address’ or datenschutz@dkfz.de if you wish to exercise any of your rights. Your rights are as follows:
1. Right to revoke consent to data processing (Art. 7 para. 3 GDPR)
You have the right to revoke your consent to data processing at any time. Upon revoking consent, the legality of the data processing already carried out on the basis of the consent will not be affected by the revocation of consent.
2. Right of access (Article 15 GDPR)
You have the right to obtain from the controllers confirmation as to whether or not personal data concerning you are being processed by us.
If this is the case, you may request access to the following information from the controller:
You are also entitled to the right to request information on whether your personal data are transferred to a third country or to an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
Please note that the first request for access to the data from you is provided by the controllers without charge, but that a reasonable charge for the work required to provide access may be required for subsequent requests.
3. Right to rectification (Article 16 GDPR)
You have a right to rectification and/or completion if the processed personal data concerning you is incorrect or incomplete. The controllers must make the correction without undue delay.
4. Right to erasure (Article 17 GDPR)
a) Duty to delete
You may request that the controllers delete personal data concerning you without undue delay, and the controller is required to so without undue delay, if one of the following reasons applies:
b) Information transferred to third parties
If the controllers make the personal data concerning you available to other parties and are obliged to erase the data as pursuant to Article 17 (1) GDPR, they must take appropriate measures, taking into account the available technology and the cost of their implementation and technical nature, to inform the other parties who process the personal data that you as the data subject have requested the erasure of all links to these personal data or copies or replication of such personal data.
c) Exceptions
The right to erasure does not apply insofar as the processing is required:
5. Right to restriction of processing (Article 18 GDPR)
You may request the restriction of processing of personal data concerning you under the following conditions:
Where processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
Where the restriction of processing is carried out pursuant to the aforementioned conditions, you will be informed by the controllers before the restriction of processing is lifted.
6. Right to be informed (Article 19 GDPR)
If you have asserted your right to rectification, erasure or restriction pertaining to the data processing vis-à-vis the controllers, they are thus obliged to inform all recipients to whom the personal data have been disclosed of this rectification or erasure of the data or the limitation of the processing, unless this proves to be impossible or involves a disproportionate effort.
You are entitled to the right to be informed by the controller about these recipients.
7. Right to data portability (Article 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to the controllers, in a structured, commonly used, and machine-readable format. Moreover, you also have the right to transmit those data to another controller without hindrance from the controllers to which the personal data have been provided insofar as:
(1) the processing is based on a granted consent as pursuant to Article 6 (1) lit. a) GDPR or Article 9 (2) lit. a) GDPR or on a contract pursuant to Article 6 (1) lit. b) GDPR, and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, wherever technically feasible. This may not adversely affect the rights and freedoms of others.
8. Right to object (Article 21 GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) lit. e) or f), including profiling based on those provisions.
The controllers shall no longer process the personal data unless they demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the assertion, exercise or defense of legal claims.
Wherever personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you may no longer be processed for such purposes.
Within the context of the use of information society services, notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
9. Automated decision-making, including profiling (Article 22 GDPR)
You have the right not to be subject to a decision that is based solely on an automated processing of data, including profiling, and that may have a legal effect on you or any similarly significant restrictive effect.
Please note, no automated decision-making is made by the controllers when using your data.
10. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
You also have the right to lodge a complaint with a supervisory authority, if you believe that the processing of your personal data by GHGA is in violation of the GDPR. You can do so in the Member State where you reside or work or where the alleged violation takes place.
The supervisory authority to which the complaint is submitted will inform you on the status and the results of the complaint including the possibility of a judicial remedy as pursuant to Article 78 GDPR.