1.1 Personal data (GDPR, Article 4(1))
Data protection refers to the protection of personal data (hereinafter also referred to as data), which in turn means any information relating to an identified or identifiable natural person. This includes, for example, data such as the person’s name, address, occupation, email address, marital status, telephone number and, if applicable, any Internet user data, such as an IP address.
1.2 Controller (GDPR, Article 4(7))
The controller – i. e. the body responsible for the processing of your personal data within the context of your use of the www.boehringer-ingelheim-stiftung.de website (hereinafter referred to as the website) – is the Boehringer Ingelheim Stiftung, (hereinafter referred to as the BIS, the website operator, or the controller). The controller’s contact details are:
Boehringer Ingelheim Stiftung
Represented by the Executive Committee: Christoph Boehringer (Chairman), Professor Dr Dr Andreas Barner, Professor Dr med. Michael P. Manns
Phone: +49 (0) 6131 / 27 50 8-12
Fax: +49 (0) 6131 / 27 50 8-11
1.3 Contact address for inquiries concerning data protection
1.4 The opportunity to object
If, in accordance with this data protection declaration, you wish to deny the BIS permission to process your data entirely or for particular purposes, you can do so by sending an email to data-protection(at)bistiftung.de. Please note that objecting to such data processing may limit or entirely prevent your use of the website and your ability to access the services offered on it.
2. Scope and purposes of data processing, legal basis, provision of data, and duration of storage
2.1 Access and use of the website
Each time the website and its sub-pages are accessed, usage data is transmitted to the BIS via the user’s respective Internet browser and stored in the BIS server’s log files. The stored data sets include the following information:
- Date and time of access
- Name of the accessed sub-page
- IP address
- Referrer URL (the URL from which you came to the website)
- Amount of data transferred
- The user’s browser product and version thereof
The admissibility of such data processing is governed by Article 6(1)(b) of the GDPR, which states that data processing is lawful if it is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” The data processed by the website operator are required to enable the data subject to access and use the website. This concerns data whose processing is necessary to the use of a given telecommunications medium. In the present case, the data subject would otherwise be unable to access the website.
The log files are evaluated by the BIS in an anonymous state in order to further improve the website and make it more user-friendly, find and correct errors more quickly, and manage server capacities. Performing these evaluations enables the BIS, for example, to identify the time periods in which users particularly favour using the website, and thus provide adequate data transfer resources.
The admissibility of such processing is governed by Article 6(1)(f) of the GDPR, according to which such processing is lawful if it is necessary to safeguard the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Making available a website that contains information, providing services to customers, and optimising website operation are legitimate interests of the website operator.
After the data subject has ceased using the website, his/her IP address is either deleted or rendered anonymous. Anonymizing an IP address consists of altering it in such a manner that, barring a disproportionately large amount of time, expense, and manpower, it can no longer be attributed to a specific or identifiable natural person.
2.2 Email at the click of a button
At some locations on the website, you are offered the opportunity to open and send an email addressed to the BIS simply by clicking on a “mailto” link. In doing so, the email address associated with your email programme is automatically employed as the sender’s email address. If you do not wish your email address to be accessed in this way, you can change your email programme’s settings to prevent such access.
The admissibility of such data processing is governed by Article 6(1)(b) of the GDPR, which states that data processing is lawful if it is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” In order, however, to contact the website operator by email, it is necessary to provide the website with this personal data.
Once statutory data storage obligations have expired, the processed personal data are deleted by the controller, unless it has a legitimate interest in continuing to store the data. In any event, only those data that are genuinely required to fulfil the purpose in question will continue to be stored. To the extent that it is possible, the personal data will be rendered anonymous.
The BIS website employs cookies. These are small data files usually consisting of letters and numerals that are stored in your browser by certain websites when you access them. Cookies enable the website to recognize the browser you are using, to follow you as you browse through different sections of the website, and to identify you when you return to the website. While cookies do not themselves contain any data that personally identify you, any information stored by the website operator about you can be assigned to the data that have been acquired by and stored in the cookies.
- Identification of the website user’s computer whenever the website user visits the website
- Tracking the user's browsing activities on the website
- Improving the user-friendliness of the website
- Analysing the website’s use
- Website operation
- Preventing fraudulent activity and improving website security
- Personalized website presentation according to the user’s needs
Cookies cause no harm to browsers. They do not contain viruses and do not enable the website operator to spy on you. There are two types of cookies:
- Temporary (or session) cookies are automatically deleted whenever you close your browser.
- Persistent cookies have a maximum lifetime of 20 days. These enable a website to recognize you whenever you re-visit the website.
Cookies enable the website operator to ascertain your website usage behaviour to an appropriate extent with respect to the aforementioned purposes. They are also intended to optimize your browsing experience while visiting the website operator’s website. These data are also collected by the website operator only in an anonymous form. The admissibility of such processing is governed by Article 6(1)(f) of the GDPR, according to which such processing is lawful if it is necessary to safeguard the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Optimising the website’s presentation is a legitimate interest of the website operator. The data provided by means of cookies are required for the data subject to access the website operator’s website without encountering errors. By not accepting cookies or deleting previously stored cookies, you may experience limited website functionality.
3. Data subject’s rights to access, to rectification, to erasure, to restriction of processing, to object, and to data portability
3.1 Right to access (GDPR, Article 15)
Upon request, the BIS will inform you whether it is processing any data concerning you. The BIS endeavours to process requests for information promptly.
3.2 Right to rectification (GDPR, Article 16)
You have the right to demand the BIS to correct any inaccurate personal data concerning you without undue delay.
3.3 Right to erasure (GDPR, Article 17)
You have the right to demand the website operator to delete personal data concerning you without undue delay. Further, the operator is obliged to delete personal data without undue delay, provided that one of the reasons stated in Article 17(1)(a-f) of the GDPR applies.
3.4 Right to restriction of processing (GDPR, Article 18)
You have the right to demand the website operator to restrict its processing of your data, when one of the conditions stated in Article 18(1)(a-d) of the GDPR exists.
3.5 Right to object (GDPR, Article 21)
You have the right to object at any time, on grounds relating to your particular circumstances, to any processing of personal data concerning you for any of the purposes stated in points (e) or (f) of Article 6(1) of the GDPR. The website operator will then cease to process the data in question, unless it can demonstrate compelling and defensible grounds for continuing to process the data that override your interests, rights, and freedoms, or unless continuing to process the data serves the purpose of asserting or exercising legal claims, or defending against them.
You also have the right to object, on grounds relating to your particular circumstances, to any processing of personal data concerning you for historical, scientific, or statistical purposes, performed pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.
To notify us of your objection, please use the email address data-protection(at)bistiftung.de.
3.6 Right to data portability (GDPR, Article 20)
You have the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning you that you have provided to the BIS. You also have the right to “transmit those data to another controller without hindrance from the controller to which the personal data have been provided” (i. e. the BIS), provided that the processing is based on consent pursuant to Article 6(1)(a) or Article 9 (2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and the processing is carried out by automated means.
4. Withdrawal of consent
If you have given the BIS your consent to process your personal data and subsequently withdraw this consent, the lawfulness of any processing of data that has already been performed prior to your withdrawal of consent shall not be affected.
5. Right to lodge a complaint
You have the right to lodge a complaint with the respective supervisory authority.
6. Recipients of personal data
Any data that is gathered in the course of your accessing and using the website, as well as any information you provide when contacting the BIS, is transmitted to the BIS server and stored there. In addition, your data may be supplied to the following categories of recipients:
- Persons at the controller who are involved in the processing of data (e. g. administrative staff, members of the Executive Committee)
- E. g. external peer reviewers, board members
- Contractors (e. g. IT service providers, software support staff)
- Contractual partners of the website operator (e. g. hosting service provider)
7. Links to third-party websites
When visiting the BIS website, content may be displayed that is linked to the websites of third parties. The BIS has no access to the cookies or other functions employed by third parties on their websites, nor can the BIS control these. Such third parties are not subject to the data protection provisions of the website operator.
27. August 2018