Data privacy notice
Section 1 Information about the collection of personal data
- This Data Privacy Notice discloses practices surrounding the collection of personal data arising from the use of our website. Personal data are any data that can identify you as an individual, such as name, address, email addresses and user behaviour.
- Under Article 4 (7) of the EU General Data Protection Regulation (GDPR), the data controller is Hannover Medical School (Medizinische Hochschule (MHH), Carl-Neuberg-Str. 1, 30625 Hannover, Germany; email: firstname.lastname@example.org (see our legal notice). Our Data Protection Officer (Datenschutzbeauftragter) can be contacted at [Datenschutz@mh-hannover.de] or at our postal address, marked ‘Die Datenschutzbeauftragte, OE0007’.
- When you contact us by email or using a contact form, we will store the data you have provided (your email address and, if applicable, your name and telephone number) in order that we can answer your questions. We will delete the data obtained in this connection when they no longer need to be stored or, if the law requires us to keep records, we will restrict the processing of this data.
- If we rely on contracted service providers for individual functions of our offering, or if we wish to use your data for advertising purposes, we will notify you (see below) in detail of the operations involved, including the specified criteria for duration of data retention.
Section 2 Your rights
(1) You have the following rights vis-à-vis MHH with regard to your personal data:
– The right to be informed;
– The right to rectification or erasure;
– The right to restriction of processing;
– The right to objection to processing;
– The right to data portability.
(2) You also have the right to lodge a complaint with a data protection regulatory body concerning our processing of your personal data.
Section 3 Collection of personal data in connection with visits to our website
(1) When you use our website purely for informational purposes, i.e. if you do not provide us with any information, then the only personal data we collect are those that your browser transmits to our server. If you wish to view our website, we will collect the following data, which are technically necessary for us to display our website and to ensure its stability and security (the legal basis being Art. 6 (1) (f) GDPR).
– IP address
– Date and time of request
– Amount by which time zone differs from Greenwich Mean Time (GMT)
– Content of request (specific page)
– Access status / HTTP status code
– Volume of data transmitted during each visit
– Website from which request originates
– Operating system and its interface
– Language and version of browser software
(2) In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files stored on your hard drive that are specific to the browser you use and that allow the party which places the cookie (in this case ourselves) to be sent certain information. Cookies cannot be used to run programs or deliver viruses to your computer. Their purpose is to make the Internet offering more user-friendly and effective overall.
Section 4 Other functions and services offered by our website
(1) In addition to the purely informational use of our website, we offer various services that you can use if interested. To do this, you will generally need to provide additional personal data that we use to provide the relevant service and for which the aforementioned data-processing principles apply.
(2) In some cases, we use external service providers to process your data. These have been carefully selected and commissioned by us, are required to follow our instructions and are monitored.
(3) Furthermore, if conclusion of contracts or similar services are offered by us in conjunction with partners, we may share your personal data with third parties. You will receive more detailed information on this when entering your personal data or in the description of the offering below.
(4) Insofar as our service provider or partner is based in a country outside of the European Economic Area (EEA), we will inform you of the consequences of this circumstance in the description of the offering.
Section 5 Objection or revocation of consent to the processing of your data
(1) If you have given consent for your data to be processed, you may revoke this consent at any time. Any such revocation will affect the permissibility of the processing of your personal data after you have notified us of the revocation.
(2) Insofar as we base the processing of your personal data on the balancing of interests, you may lodge an objection to this processing. This is the case if, in particular, the processing is not required for performance of a contract with you, which we describe in each case in the description of the functions given below. Where you exercise a right to make such an objection, we ask that you explain the reasons why we should not process your personal data as we have done. When we receive your objection with reasons, we will examine the situation and will either a) discontinue or modify the processing of your data or b) explain to you our compelling legitimate grounds for continuing these processing activities.
(3) You may, of course, object at any time to the processing of your personal data for purposes of advertising and data analysis. You can notify us of your objection to processing for advertising purposes at the following address: email@example.com
Section 6 Use of social-media plug-ins
1. Plug-ins/ Passive links
On our homepage you will only find passive links to Facebook, Instagram, YouTube, LinkedIn, Xing and Twitter. They are neither deactivated social media buttons nor active plug-ins. Therefore, personal data is only transmitted to the operators of the social media platforms when you actively click on the links and are thus redirected to the social media website itself. The legal basis for the processing of data on access via link on our website based on your consent is Art. 6 (1) lit. a DS-GVO, which you grant by activating the link (1st click). In the case of Meta Platforms, Inc. ("Meta"), according to the respective company in Germany, the IP address is anonymised immediately after collection. By activating the plug-in, your personal data is therefore transmitted to the respective plug-in company and stored there (in the case of US companies, in the USA). Since the plug-in company collects data in particular via cookies, we recommend that you delete all cookies via your browser's security settings before clicking.
The plug-in company stores the data collected about you as usage profiles and uses these for the purposes of advertising, market research and/or designing its website to meet your needs. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in company to exercise this right. Through the plug-ins, we offer you the opportunity to interact with the social networks and other users so that we can improve our offer and make it more interesting for you as a user. The legal basis for the use of the plug-ins is Art. 6 para. 1 p. 1 lit. f DS-GVO.
The data transfer takes place regardless of whether you have an account with the plug-in company and are logged in there. If you are logged in to the plug-in company, your data collected by us will be directly assigned to your account with the plug-in company. If you click the activated button and, for example, link to the page, the plug-in company will also store this information in your user account and share it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this will help you to avoid an assignment to your profile with the plug-in company.
2. Social media websites
You can also find the MHH on YouTube, Twitter, Facebook, Instagram, LinkedIn and Xing with its own presence. We are jointly responsible with the social media providers on these social media channels for the collection of your data, the data processing on our respective social media channel and its disclosure by transmission, for this purpose Art. 26 DS-GVO. The legal basis for the processing is our legitimate interests according to Art. 6 (1) lit. f DS-GVO to inform you about medical and research topics from our university hospital, to carry out public relations work and to contact you directly. For any further processing in connection with the social media channels, the social media providers are solely responsible within the meaning of the DS-GVO. Further information on joint responsibility for the processing of personal data in events for page insights (insights data): www.facebook.com/legal/terms/information_about_page_insights_data.
The social media provider grants us access to statistical analyses (insights) that provide information about the use of our social media website. These analyses do not allow us to gain an individual insight into the usage behaviour of individual persons. We can only view aggregated data (e.g. number of hits, likes, followers, region of origin, age group). The data of the respective user underlying the analyses are not transmitted to us.
On our social media websites, we can advertise posts with a monetary investment and thereby set which target group is to be reached. The setting is made on the basis of general parameters (e.g. age group, language, region, interests). Based on the data provided to us by the social media provider, it is not possible for us to address or identify individual persons.
Insofar as you contact us directly via the social media provider or interact with us in any other way and thereby deliberately transmit personal data (e.g. direct networking with our social media website), we store and process this personal data for the purposes for which you transmitted it to us. We process this data solely for the purpose of publicising content on our social media website in a manner appropriate to the target group and to better understand and optimise the use of our social media website.
For further information on the purpose and scope of data collection and processing by the plug-in provider, you are referred to the privacy policies of these providers given below. There you will also find further details about your related rights and settings options to protect your privacy.
Addresses of relevant plug-in providers and URLs with their data privacy notices
- a) [Meta Platforms, Inc. („Meta“), 1601 S California Ave, Palo Alto, California 94304, USA; www.facebook.com/policy.php; Further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications such as http://www.facebook.com/about/privacy/your-info#everyoneinfo.
- b) Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de.
- c) Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy.
- d) New Work SE, Am Strandkai 1, 20457 Hamburg, DE; http://www.xing.com/privacy
- e) T3N, yeebase media GmbH, Kriegerstr. 40, 30161 Hannover, Deutschland; https://t3n.de/store/page/datenschutz.
- f) LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy.
- g) Flattr Network Ltd. mit Sitz in 2 nd Floor, White bear yard 114A, Clerkenwell Road, London, Middlesex, England, EC1R 5DF, Großbritannien; https://flattr.com/privacy.]
- H) Instagram, Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; https://help.instagram.com/519522125107875
Our web pages also contain AddThis plug-ins. These plug-ins allow you to set bookmarks or share interesting content with other users. We have plug-ins to give you the opportunity to interact with social networks and other users, enabling us to improve our offering and make it more interesting for you as a user. The legal basis for the use of plug-ins is Art. 6 (1) (1) (f) GDPR.
Using these plug-ins, your Internet browser establishes a direct connection with AddThis servers and, as appropriate, the selected social network or bookmarking service. Recipients obtain the information that you have accessed the website that constitutes our online offering and the data mentioned in Section 3 of this Data Privacy Notice. This information is processed on AddThis servers in the USA. [We have arranged standard data privacy terms with AddThis.]. If you send content on our website to social networks or bookmarking services, a connection may be established between your visit to our website and your user profile on the network in question. We have no influence over the data collected and data-processing operations, nor are we aware of the full extent of data collection, of the purpose of the processing, or of retention periods. Neither do we have any information on the deletion of data collected by the plug-in provider.
The plug-in provider stores these data as usage profiles and uses them for the purposes of advertising, market research and/or to design their website in line with market needs. Such evaluation is carried out particularly – even for users who are not logged in – to deliver targeted advertising and to inform other social-network users about your activities on our website. You have the right to object to the creation of these user profiles; to exercise this right, you must contact the plug-in provider concerned.
If you choose not to participate in this process, you may opt out of data collection and storage at any time by setting an opt-out cookie, with effect for the future: http://www.addthis.com/privacy/opt-out Alternatively, you can set your browser to prevent a cookie from being stored.
Further information on the purpose and scope of data collection and processing by the plug-in provider is available from AddThis LLC, 1595 Spring Hill Road, Sweet 300, Vienna, VA 22182, USA, www.addthis.com/privacy.
4. Embedding of YouTube videos
We have embedded YouTube videos in our online offering; these are stored at www.YouTube.com and can be played directly from our website. [These are all embedded in Enhanced Privacy Mode, which means that no data about you as a user will be transmitted to YouTube if you do not play the videos. Only when you play the videos will the data referred to in paragraph 2 be transmitted. We have no influence over this data transmission.
When you visit the website, YouTube receives the information that you have accessed a particular page of our website. The data referred to in Section 3 of this Data Privacy Notice will also be transmitted. This takes place regardless of whether YouTube provides a user account that you are logged in to, or whether no user account exists. When you are logged in to Google, your information will be directly associated with your account. If you do not want your profile to be associated with YouTube, you must log out prior to activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or to design their website in line with market needs. This kind of evaluation is, in particular – even for users who are not logged in – carried out to deliver targeted advertising and to inform other social network users about your activities on our website. You have the right to object to the creation of these user profiles; to exercise this right, you must contact YouTube.
5. Link to Google Maps
We use links to Google Maps on this website. This will redirect you to the Google Maps website and leave the MHH website.
6. Google My Business entry
We operate Google My Business listings for various MHH departments. Should you find us in this way, we make use of the information service offered by Google and the services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google").
We do not know how Google uses the data from the visit for its own purposes, to what extent activities of individual users are assigned, how long Google stores this data and whether data is passed on to third parties. As the provider of our Google My Business entries, we do not collect or process any other data from your use of this Google offering. Furthermore, we do not use any Google functions on our website.
§ 7 Data protection declaration of the Patient Service Center (PSC, telephone offer)
The separate data protection declaration exclusively for the telephone offer of the PSC can be downloaded here as a PDF (in german).