Privacy policy for this website

In the following, we inform you about the processing of your personal data by the Bavarian Red Cross Blood Donor Service (Blutspendedienst des Bayerischen Roten Kreuzes gemeinnützige GmbH; "we") when you visit this website (www.bio-bank.de) and your rights under the data protection regulations. You will learn for what purposes and on what legal basis we process your personal data, how long we store it and what rights you have in relation to your data. We will also tell you who we share your information with and how you can contact us if you have any questions.

For information about the processing of your personal data in other contexts, e.g. with blood donations, when using our apps, social media sites or our digital services, please visit www.blutspendedienst.com/datenschutz.

I. Controller and Data Protection Officer

Responsible entity:
Blutspendedienst des Bayerischen Roten Kreuzes gemeinnützige GmbH
Herzog-Heinrich-Straße 2-4, 80336 Munich, Germany
Phone: 004989 5399-0
Fax: 004989 5399-4005
Hotline: 0049800 11 949 11
info@blutspendedienst.com

You are also welcome to contact our Data Protection Officer at any time:
Blutspendedienst des Bayerischen Roten Kreuzes gemeinnützige GmbH
Data Protection Officer
Herzog-Heinrich-Straße 2, 80336 Munich, Germany
Email: datenschutz@blutspendedienst.com

II. For what purposes do we process which personal data?

We process personal data that we receive from you when you visit our website or use corresponding input fields. Specifically, we process your personal information for the following purposes:

1. Provision of the website and IT security

When you visit our website, we automatically process the log files of our web server. These log files contain technical information about your use of the website (usage data). This is the referrer URL (the website from which you came to the current website), access time, name of the accessed (sub-) website or file, amount of data transferred, status of the retrieval, browser type and version, operating system type and version and your IP address ("server data").

The legal basis for the processing of this personal data is Art. 6 para. 1 lit. f GDPR (legitimate interest).

We process this personal data to operate the Website and to ensure IT security. The purpose of the processing is to provide the Website in a functional and secure manner.

We will delete your personal information when it is no longer necessary to achieve the purpose for which it was collected. In the case of personal data collected for the provision of the website, this is the case when the relevant session has ended and the personal data is no longer required for IT security purposes. In addition, we only store your usage data to comply with any legal retention obligations.

2. For contacting us

If you contact us via the input masks on our website (in particular the contact form), we process the data you provide and our subsequent correspondence. Depending on your request, we process the following personal data ("contact data"): Personal information (e.g. name, date of birth), service-related information (e.g. donor number, customer number), professional and private contact details (e.g. address, email address, fax) and company information (e.g. company and department), as well as the content and subject of your contact and our correspondence thereon. We also process server data in connection with your request and our communication.
Please only provide health data as part of your inquiry if you consider this to be absolutely necessary. By doing so, you consent to us processing your health data for the purpose of contacting you. You can withdraw your consent at any time with effect for the future. However, any processing carried out prior to withdrawal will remain lawful.
If you send us your inquiry by e-mail to an e-mail address provided on our website, we also process your e-mail address and the content of the message. Please note that data transmission by e-mail may not be secure. Effective protection against unauthorized access by third parties can only be achieved through additional measures (in particular e-mail encryption). Please do not hesitate to contact us for this purpose.

The legal basis for the processing of this personal data is Art. 6 para. 1 lit. b GDPR (performance of a contract/ entering into a contract). If no contractual relationship is involved or sought, our legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest). Our legitimate interest is to offer you the possibility to contact us at any time and to be able to respond to your requests. The legal basis for the processing of any health data in the context of contacting us is Art. 9 para. 2 lit. a GDPR (consent).

We need to process the contact data in order to handle the contact and your request. The server data helps us to prevent misuse of the website and to ensure the security of our information technology systems.

Your personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. We only process your personal data until we have finally answered your inquiry. Beyond that, we only store your personal data to comply with any legal retention obligations.

3. Comments on blog posts

If you post a comment on a blog post on our website, we will process your name, email address and comment. Your name, the time of publication of your comment and your comment will be published on the website as described in more detail in connection with the respective comment. We also process server data in connection with your comment.

The legal basis for the processing of this personal data is Art. 6 para. 1 lit. f GDPR (legitimate interest).

We process your personal data to enable and display public comments to you and other users and - in the case of illegal comments - to disable or delete comments or to contact or block users. The server data helps us to prevent misuse of the website and to ensure the security of our information technology systems.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is usually the case when the blog is deleted. In addition, we only retain your personal data to comply with any legal retention obligations.

4. Cookies and similar technologies

When you visit our website, we process your personal data through the use of cookies and similar technologies (collectively, "cookies" unless otherwise stated).

Diese Cookie-Richtlinie wurde erstellt und aktualisiert von der Firma CookieFirst.com.

Third party cookies

Our websites may also contain content from third-party providers that use their own cookies. Such third parties may set cookies and request information during your visit to our websites. Please visit the websites of the third party to learn how they use cookies. Information about each third party and the link to their privacy policy/cookie policy can be found in the table above. You can refuse third party cookies at any time or withdraw your consent to these cookies for the future by using the buttons above. If you opt out of third party cookies, we will only be able to provide you with features on our websites that can be used without these cookies. Areas of our websites that embed third party content and therefore require the setting of third party cookies will not be available to you in this case.

Where is information collected through cookies processed?

Information collected through cookies is primarily processed within the European Union (EU). In some cases, cookie information may also be processed by third parties in countries outside the EU that do not offer a comparable level of data protection from an EU perspective. In some countries, there is a particular risk that local authorities may gain access to data processed there for surveillance purposes and that no effective legal remedies are available against this. Insofar as you have given your consent to cookies requiring consent, you also consent to the transfer and further processing of information collected through cookies to countries outside the EU.

5. Fonts

We only use locally hosted fonts on our website.

III. Who gets your data?

1. Processor

We share your personal data with service providers who assist us in the operation of the website and the above-mentioned purposes as processors (Art. 28 GDPR). These are companies in the categories of IT services, printing and shipping services, logistics, telecommunications, consultancy and advice as well as sales and marketing, in particular:

  • Sendinblue SAS, 47, Rue de la Chaussée d'Antin, 75009 Paris, France (dispatch service provider for sending e-mails and handling of consent management);
  • Deltacity.Net GmbH & Co. KG, Am Biederlackturm 2, 48282 Emsdetten, Germany (Website operation and hosting, Website programming and content delivery).

2. Transferees

We pass on your personal data to other responsible parties (so-called transferees) who process your personal data for their own purposes, insofar as this is necessary for the execution of the contract or the provision of services. The respective providers may use the data thus transmitted exclusively for the purpose for which we transmitted it. The transfer of your personal data for these purposes takes place for the performance of the contract, Art. 6 para. 1 lit. b GDPR as well as due to our legitimate interest in making our operations efficient, Art. 6 para. 1 lit. f GDPR. These are the following cases:

  • Website service provider
    Where applicable, functionalities of our website require that the providers process your personal data under their own responsibility. The transfer of your personal data for these purposes is based on our legitimate interest in providing you with the respective functionality, Art. 6 para. 1 lit. f GDPR. If your consent is required for the transfer to website service providers, we will obtain it separately from you in advance.
  • Legal obligation or enforcement of legal claims
    In addition, in individual cases, we share your personal information with authorities, courts, or other organizations to protect the legitimate interests of ourselves or others, or to comply with legal obligations. Reasons for this may include asserting legal claims and defending legal disputes, ensuring IT security and IT operations of the blood transfusion service, or preventing and investigating criminal offenses. In the event of such a transfer, we will inform you separately in accordance with the requirements of data protection law.
  • Data transmission to bodies in countries outside the European Union
    No data is transferred to entities in countries outside the European Union (so-called third countries). The exception to this is data transfer in cases where we use cookies or social media technologies from non-European providers, as described in more detail above. In such cases, we ensure an adequate level of data protection through corresponding guarantees, where required by law, e.g. EU standard contractual clauses, adequacy decision or BCR certification. If you would like more information about the safeguards we use or a copy of them, please contact us at datenschutz@blutspendedienst.com.

IV. Your rights

You have the following legal rights in relation to your personal data with respect to the Blood Donation Service, provided that the relevant conditions are met. You can find more information about your rights and the relevant conditions on the EU Commission's website at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_de.

1. Right to information

You have the right to obtain information from us about which personal data we process. In particular, you may request information about the purposes of the processing, the categories of data processed, any recipients and the intended retention period.

2. Right to rectification

You have the right to request the rectification of inaccurate personal data without undue delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data.

3. Right to erasure ("right to be forgotten")

You may have the right to have your personal information deleted. This may be case, for example, if your personal data is no longer necessary for the original purposes, if you have withdrawn your declaration of consent under data protection law, or if the personal data has been processed unlawfully.

4. Right to restrict processing

You may request the restriction of the processing of your personal data if and insofar as the accuracy of the data is disputed by you, the processing is unlawful but you object to its deletion, or the data is no longer needed by us but is required for the establishment, exercise or defense of legal claims, or you have objected to the processing pursuant to Art. 21 GDPR.

5. Right to data portability

You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format. The right to data portability includes the right to transfer the data to another controller; therefore, upon request, we will transfer the data directly to a designated controller where technically feasible.

6. Right to object

As a data subject, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out pursuant to Art. 6 para 1lit. e (public interest) and Art. 6 para 2 lit. f GDPR (legitimate interest). This also applies to profiling based on this provision in the sense of Art. 4 No. 4 GDPR.

In the case of direct marketing, you as the data subject have the right to object at any time to processing of personal data concerning you for the purpose of such marketing.

An objection can be made informally and should preferably be addressed to: datenschutz@blutspendedienst.com.

7. Right to withdraw of consent

You have the right to withdraw your consent under data protection law at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

8. Right to complain to supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

V. Automated individual decision-making

In order to achieve the respective purposes and to provide the respective services, we do not use fully automated decision-making including profiling pursuant to Art. 22 GDPR.

VI. External links

Where links to other, external websites are provided, we have no influence or control over the linked content and the data protection provisions there. We recommend that you check the privacy policy of linked websites to determine whether and to what extent personal data is processed or made available to third parties.

VII. Changes

This privacy policy may change from time to time. This also includes further developments due to changes in our offers on the website as well as adjustments due to a changed legal situation and/or due to the implementation of new technologies or services on the website. We will post any such updates to the Privacy Policy on this page. In the event of significant changes, we will indicate this accordingly.

VIII. Further questions

If you have any further questions that our Privacy Policy has not answered, please contact us using the contact information provided in section I.

Status: August 2023