I. Name and address of the controller
The controller for the purpose of the EU General Data Protection Regulation (hereinafter referred to as “GDPR”) and other national data protection laws of the Member States and also other applicable data protection regulations is:
Vascupedia GmbH („Vascupedia“)
Tel.: +49 (0)251 935 3931
II. General information on data processing
Vascupedia collects and uses personal data of users only as far as it is necessary to provide and maintain a functional website and the content and services on the platform. In general, the collection and use of the personal data of the users takes place only after consent of the user has been obtained, or if the processing of the data is already permitted by legal regulations.
Insofar as Vascupedia obtains the consent of the users for the processing of their personal data, Art. 6 (1) (a) GDPR serves as the legal basis.
In case the processing of personal data is required for the performance of a contract to which the user is a party, Art 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations in order to take steps at the request of the user prior to entering into a contract.
Insofar as processing personal data is necessary for the fulfilment of a legal obligation, which Vascupedia is subject to, Art 6 (1) (c) GDPR serves as the legal basis.
In the event, that the vital interests of the user or another natural person require the processing of personal data, Art 6 (1) (d) GDPR serves as the legal basis.
If processing is necessary for the protection of a legitimate interest of Vascupedia or a third party and the interests, fundamental rights and freedoms of the person concerned do not override the former interest, then Art 6 (1) (f) GDPR serves as the legal basis for the processing.
The personal data of the user will be deleted or blocked as soon as the purpose of storage ceases to apply. In addition, data may be stored if it has been provided for by European or national legislators in EU regulations, laws or other provisions to which Vascupedia is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
III. Provisioning of the website and creation of log files
At each of the webpages of Vascupedia platform, the webserver used by Vascupedia automatically collects data and information of the accessing computer.
The following data is collected:
(1) information about the type of browser and the version used
(2) operating system of the user
(3) internet service provider of the user
(4) IP address of the user
(5) location, date and time of access
(6) websites from which the user’s system reaches Vascupedia’s website
(7) websites accessed by the user’s system through Vascupedia’s website
This data is used for session handling and will also be saved in the log files on the server. The IP address is transmitted with each server request so that the server knows where to send the response. Every internet user is assigned an IP address by his Internet Service Provider (ISP) as soon as he connects to the Internet. The ISP can trace which IP address was assigned to which of its customers at which time. As long as the IP address is stored, the identity of the subscriber can theoretically be determined by the ISP. Vascupedia saves the complete IP Address only temporarily to log files for debugging purposes and threat protection. The complete IP address is deleted after three days, so that the recorded data is then anonymous and identification of the user is no longer possible.
The processing of this data serves to deliver the contents of the website, to guarantee the functionality of the information technology systems and to optimise the website. The data of the log files are stored separately from other personal data.
The legal basis for the temporary storage of data and log files is Art 6 (1) (f) GDPR.
The temporary storage of the IP address by the server is necessary to enable the website to be delivered to the user’s computer. For this the IP address of the user must remain stored for the duration of the session.
The storage in log files is done to ensure the functionality of the website. In addition, Vascupedia uses the data to optimise the website and to ensure the security of the IT systems.
Vascupedia’s legitimate interest in data processing pursuant to Art 6 (1) (f) GDPR lies in these purposes.
The data will be deleted as soon it is no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
If the data is stored in log files, deletion occurs after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that assignment of the accessing client is no longer possible.
The collection of data for the provision of the website and the storage of data in log files is essential for the secure and data protection compliant operation of the website. There is consequently no opportunity to object on the part of the user.
The following data is stored and transmitted within the cookies:
- To check if user is logged in
- Check if user has given Cookie-consent
- Set a testcookie
- Remain logged-in
The user data collected in this way is pseudonymised by technical precautions. Therefore, it is not longer possible to assign the data to an accessing user. The data will not be stored together with other personal data of the users. Please refer to the section dedicated to Google Analytics for additional information on the analyses cookies.
The Legal basis for processing personal data using technically necessary cookies is Art 6 (1) (f) GDPR.
The legal basis for processing personal data using cookies for analytical purposes, if the user has given his or her consent in this regard, is Art 6 (1) (a) GDPR, otherwise Art 6 (1) (a) GDPR.
The user data collected by technically necessary cookies are not used to create user profiles.
The use of analysis cookies takes place for the purposes of improving the quality of the website and its content. Through the use of analysis cookies, Vascupedia learns how the website is used and can thus constantly optimise the website.
Further, Vascupedia provides its industry partners (companies that present their products in the Exhibition Area of the website) with statistics regarding visits to the virtual product presentations on the website. These statistics are anonymized and aggregated, and no link to a specific user can be made.
For these purposes, Vascupedia also has a legitimate interest in the processing of personal data pursuant to Art 6 (1) (f) GDPR
On Vascupedia’s website, users are offered the opportunity to register by entering personal data in order to create a user account. The data is entered into a form and transmitted to Vascupedia and stored in a user database.
The following data may be collected during the registration process:
- first name*
- last name*
- short sentence about user
- workingplace (name of hospital, city of hospital, country of hospital)
- area of interest
At the time of registration, the following data are also stored:
- IP address of the user
- date and time of registration
During the registration process the consent of the user to the processing of this data is obtained.
Data regarding the user base is also pseudonymised and aggregated and used for statistical purposes. The statistics may be provided to third parties, in particular to industry partners of Vascupedia, for analysis. Information provided to third parties does not contain any personal data.
Vascupedia allows users to upload content (like presentations) or to comment on other users’ content. Vascupedia saves and publishes user content provided voluntarily, and thus all personal data included in such content.
The legal basis for the processing of data obtained during registration and through user’s content-related activity on the site is Art 6 (1) (a) GDPR.
User registration is required for the provision of certain content and services on the website. In particular, only registered users shall be able to publish content and comment on publications of other users.
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.
This is also the case for data collected during the registration process if the registration on the website is cancelled or modified.
Users have the possibility to cancel their registration at any time. The data stored about users can be changed by the user at any time. Users may proceed to the section “Edit Profile” in order to change or delete their data provided. If a user wishes to delete his account and all data associated with it, an email to email@example.com will be sufficient. The account will then be deleted in a timely manner.
VI. Email contact
Site visitors can contact Vascupedia via the email address provided. In this case, the user’s personal data transmitted by email will be stored.
In this context, there is no disclosure of the data to third parties. The data are used exclusively for processing the conversation.
The legal basis for the processing of the data in the event of the user’s consent is Art 6 (1) (a) GDPR.
The legal basis for the processing of data transmitted in the course of sending an email is Art 6 (1) (f) GDPR. If the email contact is aimed at the conclusion of a contract, then additional legal basis for the processing is Art 6 (1) (b) GDPR.
The processing of the personal data of contact by email serves Vascupedia alone for the treatment of the establishment of contact. In the event of contact by email, this also constitutes the necessary legitimate interest in the processing of the data.
The other personal data processed during the sending process serves to prevent misuse and to ensure the security of the information technology systems.
The data will be deleted as it is no longer necessary to achieve the purpose for which it was collected. For the personal data transmitted via email this is the case once the conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.
The user has at all times the possibility to rescind his consent regarding the processing of his personal data. If the user contacts Vascupedia by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.
VII. Contact form
There is a contact form on the website which can be used to contact Vascupedia electronically. If a user uses this option, the data entered in the form is transferred to Vascupedia and saved. This data includes the name and email address entered, and also the message content.
At the time the message is submitted, a time stamp and the IP address of the submitting IT system is also saved.
User’s consent is obtained for the processing of the data within the scope of the submission process and reference is made to this data protection declaration.
In this context, there is no disclosure of the data to third parties. The data is used exclusively for processing the conversation.
The legal basis for the processing of the data is Art 6 (1) (a) GDPR.
The processing of the personal data from the contact form serves Vascupedia alone for establishing contact with a user.
The other personal data processed during the submission process serves to prevent abuse of the contact form and to ensure the security of the information technology systems.
The data will be deleted as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the input form this is the case once the conversation with the user has ended. The conversation usually is considered finished when it can be inferred from the circumstances that the facts in question have been finally clarified.
The additional personal data collected during the submission process will be deleted after a period of three days at the latest.
VIII. Google Analytics
Vascupedia has integrated the component Google Analytics (with anonymization function) on this website. Google Analytics is a web analytics service. Web analysis is the collection, gathering and evaluation of data on the behaviour of visitors to internet sites. Among other things, a web analysis service collects data on which website a user came from (so-called referrer), which subpages of the website were accessed or how often and for how long a subpage was viewed. A web analysis is mainly used to optimise a website and for cost-benefit analysis of internet advertising.
Google Analytics places a cookie on the IT system. Cookies have already been explained above. By setting the cookie, Google is enabled to analyse the use of our website. Each time one of the individual pages of this website on which a Google Analytics component has been integrated is accessed by a user, the Internet browser on the user’s information technology system is automatically triggered by the respective Google Analytics component to submit online analysis data to Google. As part of this technical process, Google obtains knowledge of personal data, such as the IP address of the user, which serves Google, among other things, to trace the origin of visitors and. Cookies are used to store personal information, such as access time, the location from which access originated and the frequency of visits to Vascupedia’s website by the user. Whenever a user visits Vascupedia’s website, this personal data, including the IP address of the internet connection used by the user, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may disclose personal data collected through the technical process to third parties.
Vascupedia uses the suffix “_gat._anonymizelp” for the web analysis via Google Analytics. By means of this addition, Google shortens and anonymises the IP address of the user’s internet connection when accessing Vascupedia’s websites from a member state of the European Union or from another state party to the agreement on the European Economic Area.
The Google Analytics component is operated by Google Inc. 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google Inc. is certified under the agreement known as Privacy Shield. The certificate can be viewed at: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
The legal basis for the processing of personal data by Google Analytics is Art 6 (1) (f) GDPR. The purpose of the Google Analytics component is to analyse the flow of visitors to the website. Google uses the data and information collected to evaluate the use of the website, among other things, to compile online reports for Vascupedia that show the activities on our website and to provide other services in connection with the use of our website. This is also the legitimate interest of Vascupedia in data processing.
The user can prevent the setting of cookies through Vascupedia’s website at any time, as already described above, by means of a corresponding setting of the internet browser used and thus permanently objecting to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a cookie on the User’s information technology system. In addition, a cookie already set by Google Analytics can be deleted at any time via the internet browser or other software programmes.
To disable Google Analytics. If the user deletes this opt-out cookie, it may be necessary to set the cookie again.
Google Analytics will be explained in more detail under this link: https://www.google.com/intl/de_de/analytics/
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. Vascupedia has selected in the settings of Google Analytics a deletion of all pseudonymous user profiles 14 months after the last activity.
Vascupedia has integrated YouTube components on its website. YouTube is an internet video portal that allows video publishers to freely watch video clips and other users free viewing, rating and commenting. Information about YouTube can be found at: https://www.youtube.com/yt/about/de/
YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary company of Google Inc. 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Each time a YouTube component (YouTube video) is integrated into one of the individual pages of this website, the internet browser on the user’s information technology system is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Within the framework of this technical procedure, YouTube and Google are informed which specific subpage of Vascupedia’s website is visited by the user.
If the user is simultaneously logged into YouTube, YouTube recognises which specific subpage of Vascupedia’s website the user visits by accessing a subpage containing a YouTube video. This information is collected by YouTube and Google and assigned to the user’s YouTube account.
The legal basis for the processing of data in connection with embedding content from YouTube is Art 6 (1) (f) GDPR.
If such a transmission of this information to YouTube and Google is not desired by the user, they can prevent the transmission by logging out of the YouTube account before accessing the website.
The data protection regulations published by YouTube which can be accessed at: https://www.google.de/intl/de/policies/privacy/ provide information about the collection, processing and use of personal data by YouTube and Google.
Vascupedia uses the services of Cloudinary. Cloudinary provides content delivery services and hosts most media files uploaded to and embedded into Vascupedia’s website.
Whenever a user accesses a website in which media files are embedded, the user’s browser sends a request to Cloudinary’s infrastructure so the embedded media file can be transmitted. By receiving and answering to such request, Cloudinary will inevitably process the user’s IP address and other information about the user’s IT system, e.g. type of browser and operating system used.
Cloudinary is also used for an initial upload of user content. Media files submitted by users to Vascupedia will be uploaded to Cloudinary and processed automatically to meet Vascupedia’s quality expectations. After initial processing, the media files will be served as outlined above. During initial uploading, again information like IP address, type of browser and operating system may be stored by Cloudinary.
Vascupedia assigns each of its registered users with a unique ID. This ID will be transmitted to Cloudinary whenever content is uploaded and used to identify the user and his content on Cloudinary’s infrastructure.
Coudinary is a service run by Cloudinary Ltd., 111 W Evelyn Ave, Suite 206
Sunnyvale, CA 94086, USA. Cloudinary Ltd. is certified under the EU-US Privacy Shield Framework. The certificate is available under https://www.privacyshield.gov/participant?id=a2zt0000000011jAAA&status=Active
The legal basis for processing personal data in connection with content delivery is Art 6 (1) (f) GDPR. Data processing in connection with media uploading is done on the basis of Art 6 (1) (a) GDPR.
A user may object to and rescind his consent regarding processing of his uploaded content anytime by informing Vascupedia. Vascupedia will procure that content uploaded by the user will be removed by Cloudinary.
The content delivery services of Cloudinary are essential for the functioning of the website. There is consequently no opportunity to object on the part of the user.
XI. Rights of users
If personal data of the user is processed the user is affected within the meaning of the GDPR and the user is entitled to the following rights vis-à-vis Vascupedia:
1. Right to information
Users may request confirmation from Vascupedia whether personal data relating to the user is processed by Vascupedia.
Once such processing has taken place, users can request the following information from Vascupedia:
(1) The purposes for which the personal data is processed;
(2) The categories of personal data, which is being processed;
(3) The recipients or categories of recipients to whom the personal data relating to the user has been or is still being disclosed;
(4) The planned duration of storage of the user’s personal data or, in the case specific information on this is not possible, criteria for determining the storage period;
(5) The existence of a right to correction or deletion of personal data relating to the user, a right to restriction of processing by Vascupedia or a right to object to such processing;
(6) The existence of a right of appeal to a supervisory authority;
(7) Any available information on the origins of the data if the personal data is not collected from the user itself;
(8) The existence of automated decision-making, including profiling in accordance with article 22(1) and (4) GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the user.
Users have the right to request information as to whether personal data relating to the user is transferred to a third country or to an international organisation. In this context, users may request to be informed of the appropriate guarantees in accordance with art 46 GDPR in connection with the transmission.
2. Right to rectification
Users have the right to rectification and/or completion vis –a- vis Vascupedia if the processed personal data concerning the user is incorrect or incomplete. Vascupedia must make the correction without delay.
3. Right to restriction of processing
Users may request the restriction of the processing of personal data concerning the user under the following conditions:
(1) If the user contests the accuracy of the personal data the period of restriction can be extended allowing for Vascupedia to verify the accuracy of the personal data;
(2) The processing is unlawful and the user opposes the deletion of the personal data and requests the restriction of their use instead;
(3) Vascupedia no longer requires the personal data for the purposes of the processing, but they are required by the user for the establishment, exercise or defence of legal claims or
(4) If the user has objected to processing pursuant to article 21(1) pending the verification whether the legitimate grounds of Vascupedia override those of the user.
Where processing has been restricted, such data shall, with the exception of storage, only be processed with the user’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
If the processing of data has been restricted according to the above conditions, users will be informed by Vascupedia before the restriction is lifted.
4. Right to delete
a) Deletion obligation
Users have the right to obtain from Vascupedia the deletion of his personal data without undue delay and Vascupedia is obligated to delete this personal data without undue delay where one of the following grounds applies:
(1) The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
(2) The user withdraws consent on which the processing is based according to Art 6 (1) (a) or Art 9 (2) (a) GDPR and where there is no legal ground for the processing.
(3) User objects to the processing pursuant to Art 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the user objects to the processing pursuant to Art 21(2) GDPR.
(4) The personal data has been unlawfully processed.
(5) The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which Vascupedia is subject.
(6) The personal data has been collected in relation to the offer of information society services referred to in art 8(1) GDPR.
b) Passing information to third parties
If Vascupedia has made public the personal data relating to the User and if Vascupedia is obliged to delete such data pursuant to Art 17(1) GDPR, Vascupedia shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data, that user as data subject has requested Vascupedia to delete all links to such personal data or copies or replications of such personal data.
The right to deletion doesn’t exist insofar as the processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by the European Union or Member State law to which Vascupedia is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Vascupedia;
(3) For the establishment, exercise or defence of legal claims.
If users have exercised the right to correct, delete or limit the processing vis-à-vis Vascupedia, Vascupedia is obliged to inform all recipients to whom the personal data relating to the user has been disclosed of this correction or deletion of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
Users have the right vis-à-vis Vascupedia to be informed about these recipients.
5. Right to data transferability
Users have the right to receive user-related personal data provided to users in a structured, common and machine readable format. In addition users have the right to transfer this data to another person without hindrance by Vascupedia, provided that
(1) Processing is based on consent pursuant to art 6(1) (a) GDPR or art 9 (2) (a) GDPR or on a contract pursuant to Art 6 (1) (b) GDPR and
(2) The processing is done by automated means.
In the exercise of this right, users also have the right to requesst that the personal data relating to the user is transmitted directly by a responsible person to another responsible person, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
6. Right of objection
The users have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on art 6 (1) (e) or (f) including profiling based on those positions.
Vascupedia shall no longer process the personal data unless Vascupedia demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the user or for the establishment, exercise of defence of legal claims.
Where the user’s personal data is processed for direct marketing purposes, the user has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the user objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Users have the possibility in connection with the use of information society’s services- not withstanding Directive 2002/58/EC to exercise their right of objection by means of automated procedures using technical specifications.
7. Right to revoke consent with data protection relevance
Users have the right to revoke their data protection relevant consent at any time. The revocation of consent does not affect the legality of processing carried out on the basis of the consent until revocation.
8. Automated individual decision-making, including profiling
The user has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This not applicable if the decision
(1) is necessary for entering into, or performance of, a contract between the user and Vascupedia,
(2) is authorised by European Union or Member State law to which Vascupedia is subject and which also lays down suitable measures to safeguard the User’s rights and freedoms and legitimate interests; or
(3) is based on the user’s explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art 9 (1) GDPR, unless art 9 (2) (a) or (g) GDPR applies and appropriate measures have been taken to protect the user’s right and freedoms and the user’s legitimate interests.
9. Right to raise a complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy users have the right to raise a complaint at a supervisory authority, in particular in the member state of residence, place of work, or place of suspected infringement, if users consider that the processing of personal data relating to the user is in violation of the GDPR.
The supervisory authority at which the complaint has been raised shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under art 78 GDPR.
Last Update: 30 May 2018