Privacy Statement in accordance with the GDPR

Name and address of the controller

The controller as defined by the General Data Protection Regulation and other national data protection laws of the Member States, as well as other provisions of data protection legislation is:

The Federal Association for Occupational Safety and Health (Basi)

Alte Heerstraße 111

53757 Sankt Augustin

Germany

General information on data processing

1. Nature and purpose of processing personal data.

We process the personal data of our users only to the extent necessary to provide a functioning website, as well as for our content and services. The processing of a user’s personal data is normally only done with the consent of the user. An exception applies in those cases in which it is not possible to obtain prior consent for genuine reasons and the processing of the data is permitted by statutory provisions.

2. Legal basis for processing personal data

Article 6(1)(a) of the General Data Protection Regulation (GDPR) serves as the legal basis insofar that we obtain the consent of the data subject to process personal data.

Article 6(1)(b) of the GDPR serves as the legal basis for the processing of personal data required for the performance of a contract to which the data subject is party. This also applies to processing which is necessary to carry out pre-contractual activities.

Article 6(1)(c) of the GDPR serves as the legal basis in the event that processing of personal data is necessary to fulfil a legal obligation to which our organisation is subject.

Article 6(1)(d) of the GDPR serves as the legal basis in the event that processing of personal data is necessary in order to protect the vital interests of the data subject or another natural person.

Article 6(1)(f) of the GDPR serves as the legal basis for the processing of data if this is necessary to safeguard the legitimate interests of our organisation or those of a third party, as long as this does not override the interests or fundamental rights and freedoms of the data subject.

3. Data erasure and storage period

The personal data of the data subject will be erased or made unavailable as soon as the purpose for which it was stored no longer applies. Moreover, the data may be stored if the European or Member State legislator has provided for this in Union regulations, laws or other provisions applicable to the data subject. The data shall also be erased or made unavailable if a storage period stipulated by the aforementioned provisions expires, unless it is necessary to further store the data in order to conclude or perform a contract.

Information on processors

This website uses the conference management software Converia, which is provided by Lombego Systems GmbH. Lombego Systems GmbH hosts the software and provides additional services such as software maintenance and support to the event organiser. Furthermore, Lombego Systems GmbH provides payment processing services for the organiser. Lombego Systems GmbH may therefore acquire personal data stored in the software while carrying out this work and is therefore to be regarded as the processor of the order.

A contract was concluded with Lombego Systems GmbH for order processing pursuant to Article 28 of the GDPR. (For information on the company, see the section ‘List of Processors’ in this document).

Provision of the website and creation of log files

1. Description and purpose of data processing

Each time a user accesses our website, our system automatically collects data and information from the user’s computer system.

The following data is collected:

  • information about the browser type and the version used
  • the operating system of the user
  • the internet service provider of the user
  • the IP address of the user
  • date and time of access
     

2. Legal basis for data processing

Article 6(1)(f) of the GDPR serves as the legal basis for the temporary storage of data and log files.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. To do this, the IP address of the user must remain stored for the duration of the session.

The data is stored in log files to ensure the functionality of the website. The data is also used to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this case.

These purposes also reflect our legitimate interest in data processing pursuant to Article 6(1)(f) of the GDPR.

4. Storage period

The data will be deleted as soon as it is no longer required for the purpose of its collection. In the case of collecting data to provide the website, deletion occurs when the session has ended.

If the data is stored in log files, this is deleted after ten days at the latest. Storage beyond this period is possible. In this case, the IP address of the user is deleted or modified in such a way that assignment to the accessing client is no longer possible.

5. Right to object and right to removal

The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no possibility for the user to object.

Use of cookies

1. Description and purpose of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. When a user visits a website, a cookie can be stored on the user’s operating system. This cookie contains a unique identifier that allows the browser to be identified when the user visits the website again.

We divide cookies into the following categories:

Required Cookies (Type 1): These cookies are necessary for websites to function properly. Without these cookies, services such as event registration cannot be provided.

Functional Cookies (Type 2): These cookies make it possible to improve the user-friendliness and performance of websites and to make various functions available. For example, language settings can be stored in function cookies.

Performance cookies (Type 3): These cookies collect information about how you use websites. For example, performance cookies help us to identify particularly popular areas of our website. This enables us to tailor the content of our websites more closely to your needs and thus improve our services for you. The information collected with these cookies is not personal. Further information on the collection and evaluation of this information can be found in the ‘Evaluation of User Data’ section.

Third-party cookies (Type 4): These cookies are set by third parties, e.g. social networks. They are primarily used to integrate social media content such as social plug-ins into our site. Information about how we use social plugins can be found in the ‘Social Plugins’ section of the Privacy Statement.

 

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Article 6(1)(f) of the GDPR.

3. Purpose of data processing

We use the following Type 1 cookies on our website:

Name of the cookie: PHPSESSID
Purpose: Identification of a user session

Name of the cookie: Converia_SID
Purpose: Identification of a front-end user

4. Storage period, right to object and right to removal

Cookies are stored on the user’s computer and sent to our site by the computer. Therefore, you as a user have full control over the use of cookies. You can deactivate or restrict the use of cookies by changing the settings in your Internet browser. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

Registration and use of the conference management software

1. Description and purpose of data processing

The conference management software offers users the opportunity to register by providing personal data. The data is entered into an input mask and transmitted to us and stored.

When registering, mandatory data may be required. This information must be complete and correct. If this is not the case, the registration will be rejected.

The system includes a function that requires the user to explicitly agree with the Privacy Statement before personal data is stored in the software.

Registration is usually required for the following activities:

  • sending submissions
  • reviewing submissions
  • activities as a speaker or session moderator
  • using the conference planner’s favourites function 

The following data is collected and stored as part of the registration process and using the software’s functions:

  • access data (username, password)
  • address details
  • email address
  • information on submissions
  • time and room planning information (conference plan)
  • membership information
  • verification information (e.g. proof of student status)
     

2. Legal basis for data processing

The legal basis for the processing of the data is Article 6(1)(f) of the GDPR, provided that the user has given his or her consent.

If the registration serves the purpose of performing a contract to which the user is a party or of implementing pre-contractual measures, the additional legal basis for the processing of the data is Article 6(1)(b) of the GDPR.

3. Purpose of data processing

User registration is required to perform a contract with the user or to implement pre-contractual measures.

4. Storage period

The data will be deleted as soon as it is no longer required for the purpose of its collection. In the case of the registration process with regards to the performance of a contract or the implementation of pre-contractual steps, this occurs when the data is no longer needed to perform the contract. Even after the performance of the contract, it may be necessary to store personal data in order to comply with contractual or legal obligations.

Since access data, including address details, can be used for other events such as follow-up events, this data is usually removed from the system no later than 2 years after the last login.

5. Right to object and right to removal

As a user you have the possibility to delete your registration at any time. You can change your stored data at any time. Please contact the controller by email or telephone (see information above).

If the data is necessary for the performance of a contract or to implement pre-contractual measures, early deletion of the data is only possible insofar as there are no contractual or legal obligations precluding this.

Rights of the data subject

If personal data collected from you is processed, you are the data subject as defined by the GDPR and you have the following rights with respect to the controller:

1. Right of access

You can request confirmation from the controller as to whether personal data concerning you is being processed by us. In the event that this is the case, you may ask the controller to provide you with the following information:

(1)       the purposes of processing your personal data;

(2)       the categories of personal data concerned;

(3)      the recipients or categories of recipient to whom the personal data has been or will be disclosed;

(4)       the envisaged period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period;

(5)      the existence of the right to rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(6)       the existence of the right to lodge a complaint with a supervisory authority;

(7)       all available information on the source of data, if the personal data is not collected from the data subject;

(8)      the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether your personal data will be transferred to a third country or to an international organisation. If this is the case, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to this transfer.

2. Right to rectification

You have the right to have your incorrect personal data rectified and incomplete personal data completed by the controller. The data controller must carry out the rectification without undue delay.

3. Right to restriction of processing

You may request that the processing of your personal data be restricted if any of the following conditions are met:

(1)       if you dispute the accuracy of your personal data for a period of time which enables the controller to verify the accuracy of the personal data;

 (2)       the processing is unlawful and you oppose the deletion of your personal data and instead request the restriction of the use of your personal data;

(3)       the controller no longer needs the personal data for the purposes of the processing, but you require the personal data to establish, exercise or defend legal claims, or

(4)       if you have objected to the processing pursuant to Article 21(1) of the GDPR and it has not yet been established whether the legitimate grounds of the data controller outweigh yours.

If the processing of your personal data has been restricted, such data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the processing of your personal data has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a)        Obligation to erase

You may request the controller to delete your personal data without undue delay and the controller is obliged to delete such data without undue delay if any of the following grounds apply:

(1)       The personal data relating to you is no longer necessary for the purposes for which it was collected or otherwise processed.

(2)      You withdraw your consent on which the processing, pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, was based and there is no other legal basis for the processing.

(3)       You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.

(4)       Your personal data has been unlawfully processed.

(5)       The erasure of your personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.

(6)       Your personal data has been collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.

b)        Information provided to third parties

If the controller has made your personal data public and is obliged to erase such data in accordance with Article 17(1) GDPR, the controller shall, taking into account the available technology and implementation costs, take appropriate steps, including technical measures, to inform the controllers who process your personal data that, as the data subject, you have requested them to erase all links to, or copies or replications of, your personal data.

c)         Exceptions

The right to erasure does not apply to the extent that processing is necessary:

(1)       to exercise the right to freedom of expression and information;

(2)       to comply with any legal obligation required by Union or Member State law to which the controller is subject or to perform a task in the public interest or in the exercise of official authority vested in the controller;

(3)       for reasons of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

(4)       for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) of the GDPR, insofar as the right referred to under point (a) is likely to make it impossible or seriously impair the attainment of the objectives of such processing, or

(5)       for the establishment, exercise or defence of legal claims.

5. Right to information

If you have exercised your right to rectify, erase or restrict the processing of your personal data against the controller, the latter is obliged to notify all recipients to whom your personal data has been disclosed of such rectification, erasure or restriction, unless this proves impossible or involves a disproportionate amount of effort. You have the right to be informed of such recipients by the controller.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without being hindered by the controller to whom the personal data has been provided, when:

(1)       the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR; and

(2)       the processing is carried out by automated means.

In exercising this right, you also have the right to request that your personal data be transmitted directly by one controller to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.

The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data on the basis of Article 6(1)(e) or (f) of the GDPR, including profiling based on these provisions.

The controller shall no longer process your personal data unless the controller can demonstrate compelling reasons for processing which justify overriding your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

If your personal data is processed for the purpose of direct marketing, you have the right at any time to object to the processing of your personal data for the purpose of such marketing; this also applies to profiling to the extent that it is connected with such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

You have the possibility to exercise your right to object by automated means using technical specifications in relation to the use of information society services, notwithstanding Directive 2002/58/EC.
 

8. Right to withdraw consent

You have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of the processing that took place on the basis of your consent prior to the withdrawal.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you consider that the processing of your personal data violates the GDPR.

The following supervisory authority is responsible for us:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
(Data Protection Commissioner for North Rhine-Westphalia)
Kavalleriestraße 2-4
40213 Düsseldorf
Germany
Telephone: +49 211/38424-0
Fax: +49 211/38424-10
E-Mail: poststelle@ldi.nrw.de

List of processors

Lombego Systems GmbH
Kaufstaße 2-4
99423 Weimar
Germany

Type of processing:
Hosting and operating the Converia conference management software
Maintenance and support