Privacy policy

We operate the website samplelocator.bbmri.de and collect certain data from our website visitors insofar as this is necessary. In the following privacy policy, we explain what we do with your personal data and why we do this. We also inform on how we protect your data, when your data will be deleted and what your data protection rights are. Firstly though: we comply with the data protection laws and do all in our power to protect your privacy.

We wish to be entirely open though: the internet lives from the exchange of data and still has many security loopholes. Even if your data is encrypted when you visit our website, there is always a risk – at the latest during the exchange with third-party websites. If you visit other websites (e.g. via a link on our website), please note that this privacy policy does not apply for these third-party websites.

Who can I contact?

The provider of this website is:

Charité – Universitätsmedizin Berlin
German Biobank Node (GBN)
Charitéplatz 1
10117 Berlin

You can contact the GBN office at:

Charité – Universitätsmedizin Berlin
Campus Virchow Klinikum (CVK)
German Biobank Node (GBN)
Augustenburger Platz 1
13353 Berlin

Email: germanbiobanknode@charite.de
Phone: +49. 30. 450 536 347

The Charité – Universitätsmedizin Berlin is a public institution. It is legally represented by the Chairman of the Executive Board.

To reach the Charité’s internal data protection officer, email: datenschutz@charite.de.
In the event of specific questions about your data, its deletion or your rights, do not hesitate to contact us directly: germanbiobanknode@charite.de.
Should you wish to make a written request, simply mention “data protection”.

What are my rights?

You can contact us at any time should you have any questions about your data protection rights or wish to assert one of the following rights:
- Right of withdrawal pursuant to Art. 7 para. 3 GDPR
- Right of access pursuant to Art. 15 GDPR
- Right to rectification pursuant to Art. 16 GDPR
- Right to erasure pursuant to Art. 17 GDPR
- Right to restriction of processing pursuant to Art. 18 GDPR
- Right to data portability pursuant to Art. 20 GDPR
- Right to object pursuant to Art. 21 GDPR
- Right to lodge a complaint with a supervisory authority pursuant to Art. 77 para. 1 GDPR

You can also contact the data protection supervisory authority directly:
Competent supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
10969 Berlin
Email: mailbox@datenschutz-berlin.de
Phone: +49 30 13889-0
Fax: +49 30 2155050

Deletion of data and storage period

Unless stated otherwise, we will delete your data as soon as it is no longer needed. Your data will also be blocked or deleted if a storage period prescribed by law expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract. Certain data may need to be kept longer for legal reasons. You can of course request information about the stored data on your person at any time.

Legal basis for data processing

We only collect and process your personal data when there is a legal basis for this. In addition to your express consent, other legal bases may apply. If processing is based on your consent, Art. 6 para. 1(a) GDPR shall serve as the legal basis.

If the processing of personal data is necessary for the performance of a contract, Art. 6 para. 1(b) GDPR shall serve as the legal basis.

If the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 para. 1(c) GDPR shall serve as the legal basis.

If processing is necessary to safeguard a legitimate interest of the German Biobank Node or a third party and if such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, Art. 6 para. 1(f) GDPR shall serve as the legal basis. If processing is based on such a balancing of interests, you have the right to object to the processing of your personal data provided that you have special reasons for doing so and we cannot prove any compelling reasons worthy of protection for the processing.

You will find the relevant legal basis for individual data processing at the end of the respective description of data processing.

If we commission service providers for individual service functions or would like to use your data for advertising purposes, we will inform you in detail below of the respective processes. If we cooperate with service providers, we select these extremely carefully, taking particular note of their compliance with the legal requirements for data protection and data security. We have moreover concluded order processing contracts with them, which comply with the requirements of Art. 28 GDPR. If service providers are based outside of the EU, we ensure that the appropriate safeguards exist pursuant to Art. 46 GDPR and that an adequate level of data protection is provided by the processor. Certification according to the EU-US Privacy Shield or so-called EU standard data protection clauses is considered adequate, for example. We refer to the appropriate safeguards in the respective places.

Your visit to our website

If you merely wish to browse our website, we do not collect any personal data – with the exception of the data that your browser transmits to enable you to visit the website. This includes:
- IP address (e.g. 95.91.215.example or 2a02:8109:9440:1198:bdb1:551f:example)
- approximate location based on IP range (e.g. Berlin and surrounding area)
- internet provider (e.g. Vodafone)
- internet speed (e.g. 120 Mbit)
- date and time (e.g. 11:45 on 25/05/2019)
- last website visited (e.g. google.com)
- browser (e.g. Firefox or Safari)
- operating system (e.g. Mac OS)
- hardware (e.g. main processor)

The IP address is most important for you as a visitor to our website, as this data can theoretically be traced back to you as an individual. To protect your privacy, your IP address will be deleted or anonymized following your visit to our website. The other technical data can then no longer be traced back to you and only serves anonymous, statistical purposes to optimise our website. Your data is stored temporarily at the start to safeguard your connection as well as to ensure access and the correct display of our website. The IP address and aforementioned technical data are required to display the website, prevent display problems for visitors and rectify any errors. The legal basis is the so-called legitimate interest, which has been reviewed within the framework of the aforementioned precautionary measures and in accordance with the European data protection requirements pursuant to Art. 6 para. 1(f) GDPR.

Cookies and browser data

When you visit our website, your session is stored via a cookie. Cookies are small text files that are stored by a browser on the user's computer. They contain information about the current or last visit to the website. We use temporary session cookies, which are automatically deleted after closing the browser. If you merely wish to browse our website, we do not collect any personal data – with the exception of the data that your browser transmits to enable you to visit the website (e. g. IP address, internet provider, last website visited, browser, operating system).

You can configure, block and delete cookies in your browser settings. You can delete the cookies in the security settings of your browser at any time. Be aware, though, that if you delete all cookies for our website, some of the functions of the website might not display correctly.

Data collection

The Sample Locator’s first stage, the "feasibility search", is publicly available. The search result shows how many of the desired samples in total are available in the biobanks connected to the Sample Locator. All requests are stored on our server with date stamps (but no personal data) for 12 month. The requests are evaluated anonymously for statistical purposes. The knowledge gained this way helps us to improve our services. The legal basis for this is the so-called legitimate interest, which has been reviewed to pursue the intended purpose and within the framework of the aforementioned precautionary measures as well as in accordance with the European data protection requirements pursuant to Art. 6 para. 1(f) GDPR. An order processing contract has moreover been concluded, which complies with the requirements of Art. 28 GDPR.

After logging in via the authentication service BBMRI-ERIC AAI, users will then see in which locations how many samples are available. For the login, i.e. the purpose of initiating a contract on the basis of Art. 6 Para. 1 lit. b) GDPR, BBMRI-ERIC then also collects required personal data.

Please see the BBMRI-ERIC Privacy Notice for more details.

Google Fonts

For visual improvement of the typeface, we use Google Fonts (https://fonts.google.com) from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), a font collection offered by Google. When you access this website or other websites, these fonts are transferred to your browser’s storage folder and activated. Website text will only be displayed in a standard font if this is not supported. To enable this, a request is sent to domains such as fonts.googleapis.com or fonts.gstatic.com. For technical reasons, this request contains your IP address. Your data will not be combined with other data or traced back to you personally, however.

As a precautionary measure, we have assured ourselves that when you access the Google font collection, the data will not be combined with other Google services, e.g. if you have a Google account. This is confirmed in the Google Fonts privacy information (https://developers.google.com/fonts/faq). The high security standards of the Google platform and the associated Google privacy policy also apply (www.google.com/intl/de-DE/privacy). Given that Google is based in the USA and thus in a so-called third country, further safeguards are required to ensure an adequate level of data protection meeting the European standards. Google has been certified under the so-called EU-US Privacy Shield and therefore demonstrates an adequate level of data protection (www.google.de/policies/privacy/frameworks).

The purpose of data transmission is the correct display of fonts in our chosen format. The IP address is required to establish a connection to Google’s servers in order to download the font collection if this is not already stored on the device. The legal basis for this is the so-called legitimate interest, which has been reviewed to pursue the intended purpose and within the framework of the aforementioned precautionary measures as well as in accordance with the European data protection requirements pursuant to Art. 6 para. 1(f) GDPR.

Establishment, exercise and defence of legal claims

It may sometimes be necessary for us to process personal data – in conformance with local laws and regulations – in order to exercise or defend legal claims. Art. 9 para. 2(f) GDPR permits this when processing is "necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity".

This may occur, for example, if we must seek legal advice for legal proceedings or are legally required to retain or disclose certain information during legal proceedings.

Personal data of children

We are aware of the importance of safeguarding children’s safety and protecting their data on the internet. For this reason – and in order to comply with certain laws – we neither intentionally collect personal, individually identifiable information from children under the age of 16, nor do we provide content for children under the age of 16.

Privacy policy last updated in: January 2020