Scope
This privacy statement explains to users the type, scope and purpose of the processing of personal data by the controller according to Art. 4(7) GDPR, namely
- Georg-August-Universität Göttingen
- Stiftung öffentlichen Rechts
- University Medical Center Göttingen
- Robert-Koch-Str. 40
- 37077 Göttingen, Germany
Represented by the management board
- Telephone: +49 (0)551 39-0
- Email: poststelle@med.uni-goettingen.de
(hereafter “UMG”)
within the framework of the whistleblowing system made available at the following URL https://www.bkms-system.com/umg (hereafter “BKMS® System”).
The legal basis for the data protection lies in the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the Data Protection Act of Lower Saxony (NDSG) and the German Telemedia Act (TMG). The UMG complies with the applicable laws, particularly concerning the processing of personal data.
The data protection officer of the UMG can be reached at:
- University Medical Center Göttingen
- -Data Protection Officer-
- 37099 Göttingen, Germany
- Telephone: +49 (0)551 39-22762
- Email: datenschutz@med.uni-goettingen.de
The data protection supervisory authority with competence over the UMG with regard to data protection is:
- Die Landesbeauftragte für den Datenschutz Niedersachsen (state representative for data protection of Lower Saxony)
- Prinzenstraße 5
- 30159 Hannover, Germany
- Telephone: +49 (0511) 120 45 00
- Fax: +49 (0511) 120 45 99
- Email: poststelle@lfd.niedersachsen.de
Handling of personal data
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4(1) GDPR)
The law applies to the processing of personal data:
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4(2) GDPR)
The processing of personal data within the framework of the BKMS® System takes place according to Art. 6(1)(1)(c) GDPR based on a legal obligation of the UMG arising from §15, Hospitals Act of Lower Saxony (NKHG), in connection with §§135a, 136a, Social Security Statute Book 5 (SGB V).
Processing upon a visit to the BKMS® System
In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that contains only the session ID (a so-called session cookie). Cookies are small text files stored on your hard drive and associated with the browser used. Such session cookies, or transient cookies, are deleted automatically when you close the browser.
Cookies cannot cause any damage to your computer. There is no security risk in the sense of a virus or spying on your computer.
When using the BKMS® System for exclusively informational purposes, in other words, if you do not register or transmit any other information, the following data (called serverlog files) are transmitted by your browser to the BKMS® server and saved for only as long as technically required to display to you our BKMS® System and to ensure stability and security (legal basis is Art. 6 (1) (1) (e) GDPR):
- Date and time of the request;
- Encryption protocol;
- Cipher suite;
- Operating system of the user;
- Browser type and version.
Additional data (e.g. IP address) are not collected.
Communication between your computer and the BKMS® System takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system.
Processing upon contact via the BKMS® System
In the BKMS® System, you can submit reports via the corresponding contact forms. No personal data is required of you here by the UMG. To the extent that personal data (e.g. name, address, field of work and email addresses) are collected via the contact forms, this only ever takes place if you enter this information there voluntarily.
If you wish to remain in contact with the examiner at the UMG for additional information and for follow-up questions, you can set up a secured postbox with (1) a password selected by you and (2) a freely selectable user name. There is no requirement to use real names, in other words, it is possible to use a pseudonym, and this is even recommended by the UMG. All data sent via the secured postbox are encrypted and stored exclusively in the BKMS® System, ensuring that the data receive special protection superior to that of typical email communication.
Personal data and all information entered into the BKMS® System are stored in a database operated by a provider (EQS Group GmbH, Bayreuther Str. 35, D-10789 Berlin, Amtsgericht (local court) Berlin-Charlottenburg, HRB 127554 B) in a high-security data centre. All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised and specially trained employees of the UMG. Neither EQS Group GmbH nor other third parties have access to interpretable data. This is ensured in the certified procedure through extensive technical and organisational measures.
During the processing of a report or the conducting of a special investigation, it may become necessary to forward reports to additional employees of the UMG or its subsidiaries. We are also legally obligated to inform accused parties of any reports received against them as soon as the disclosure of this information no longer jeopardises the investigation. We always ensure compliance with the applicable data protection regulations when sharing reports. If you did not submit your report anonymously, your identity as a whistleblower will therefore not be disclosed – unless required by law. Sharing of your personal data provided with the report only takes place if this is necessary to complete the purpose of your report (e.g. compliance with a legal obligations [see Art. 6(1)(c) GDPR] or if this is necessary due to vital interests of the data subject [see Art. 6(1)(d) GDPR]).
Note on sending attachments: When submitting a report or an addition, you can simultaneously send file attachments to the employee of the UMG responsible for the processing of your report. If you would like to remain anonymous, please note that files can contain hidden personal data that compromise your anonymity. Remove this data before sending! If you are unable to remove this data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
Right to information; erasure and blocking
You are entitled to the legal rights to information according to the GDPR and BDSG upon request to the responsible person named in the company details.
Specifically, you have the following rights with regard to your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to the processing (Art. 21 GDPR)
The erasure or blocking of your stored personal data takes place according to the statutory requirements.
You also have the right according to Art. 77 GDPR to lodge a complaint with a data protection supervisory authority (e.g. with the data protection supervisory authority with competence for the UMG, as indicated above under 1.).