Data protection

Contact details of the responsible person

Federal Institute for Drugs and Medical Devices
Kurt-Georg-Kiesinger-Allee 3
53175 Bonn
Germany

Represented by the President
Prof. Dr Karl Broich

Phone: +49 (0)228 99 307-0
Fax: +49 (0)228 99 307-5207
E-mail: poststelle@bfarm.de
Website: www.bfarm.de

As an independent higher federal authority in the portfolio of the Federal Ministry of Health (BMG), the Federal Institute for Drugs and Medical Devices (BfArM) is subject to the provisions of the General Data Protection Regulation and the Federal Data Protection Act (BDSG).

Contact details of the data protection officer of the controller

E-mail: datenschutz@bfarm.de

General information on data processing

Description and scope of data processing

As a matter of principle, we only collect and use users’ personal data to the extent that this is necessary for the provision of a functional website and our content and services. The collection and use of users’ personal data is generally only carried out with their consent. Exceptions apply in cases where it is not possible to obtain prior consent for actual reasons, the processing is technically necessary for the provision of the website or the processing of the data is permitted by legal regulations.

Insofar as further processing of personal data is required for the performance of our services, we will inform you of this at the appropriate point and refer you to the relevant section in this declaration.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures. If processing of personal data is necessary for compliance with legal obligations to which the BfArM is subject, Article 6(1)(c) of the DSGVO serves as the legal basis. In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis. Where the processing of personal data is necessary for the purposes of legitimate interests or those of a third party and is not carried out in the performance of the data subject’s own tasks, and where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data override those of the data subject, the processing shall be carried out on the basis of Article 6(1)(f) of the GDPR.

If the processing of personal data takes place within the framework of the performance of tasks which are in the public interest or in the exercise of official authority which has been transferred to the BfArM as the controller, Article 6 (1) (e) DSGVO in conjunction with Section 1 (1) and (3), Section 4 (1) and (4) of the Act on Successor Institutions to the Federal Health Agency (BGA-NachfG) in conjunction with Section 77 (1) of the German Medicines Act (AMG) serves as the legal basis. The statutory delegation of tasks, which serves us in conjunction with Article 6(1)(e) DSGVO as the legal basis for the processing of personal data, among other things, is given concrete form at the national level in a number of special laws. In addition to the AMG already mentioned, these include, for example, the Narcotics Act (BtMG), the Medical Devices Act (MPG), the Medical Devices Safety Plan Ordinance (MPSV) and the Basic Substances Monitoring Act (GÜG). These legal bases also apply in particular to the processing of personal data in connection with the forms provided on this website.

Duration of storage or criteria for the duration

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or fulfilment of a contract.

Hosting

Description and scope of data processing

This website is hosted by a service provider of DLR (hoster). The personal data collected on this website is stored on the host’s servers.

The host is used for the purpose of fulfilling contracts with our potential and existing customers (Article 6(1)(b) DSGVO) and in the interest of a secure, fast and efficient provision of our online services by a professional provider (Article 6(1)(f) DSGVO).

Our hoster will only process your data to the extent necessary to fulfil its performance obligations and to comply with our instructions in relation to such data.

DLR uses the following hoster:

HostPress GmbH
Bahnhofstr. 34
66571 Eppelborn

Conclusion of a commissioned data processing contract

In order to ensure data protection-compliant processing, DLR has concluded a contract with the host for commissioned data processing.

Provision of the website and generation of log files

Description and scope of data processing

Our system automatically collects data and information from the accessing computer system each time our website is called up.

The following data is collected in this context:

  1. Information about the browser type and version
  2. The operating system of the user
  3. The user’s internet service provider
  4. The IP address of the user
  5. Date and time of access
  6. The referring website(s)
  7. Websites that the user visits from our website

The data is also stored in log files on our system. This data is not stored together with other personal data of the user.

Legal basis for the processing of personal data

The legal basis for the temporary storage of the data and log files is Article 6 (1) (f) DSGVO.

Purposes of the data processing

The temporary storage of the IP address by our system is necessary to deliver the website to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session.

The storage in log files is done to ensure the functionality of the website. Furthermore, the data is used to optimise the website and to ensure the security of our information technology systems. Data analysis for marketing purposes does not take place in this context.

The website of Real4Reg collects a series of general data and information every time a data subject or automated system calls up the website. This general data and information is stored in the log files of the server. This information is rather required in order to (1) correctly deliver the contents of our website, (2) optimise the contents of our website as well as the advertising for these, (3) ensure the permanent operability of our information technology systems and the technology of our website as well as (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

When using these general data and information, we do not draw any conclusions about the data subject. This information is rather required in order to (1) correctly deliver the contents of our website, (2) optimise the contents of our website as well as the advertising for these, (3) ensure the permanent operability of our information technology systems and the technology of our website as well as (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack. Therefore, the Host analyzes anonymously collected data and information on one hand for statistical purposes, and on the other hand for the purpose of increasing the data protection and data security of our research centre, so as to ensure an optimal level of protection for the personal data we process. The anonymous data contained in the server log files are stored separately from any other personal data of the data subject.

These purposes justify our legitimate interest in data processing pursuant to Article 6(1)(f) DSGVO.

Duration of the storage

The data is deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collection for the provision of this website, this applies at the end of each session.

For data stored in log files, this happens after seven days at the latest. Storage beyond this period is possible; in these cases, the IP addresses of the users are deleted or pseudonymised in order to prevent an assignment to the accessing client.

Possibility of objection and removal

The collection of data to provide our website and the storage of data in log files is essential for the operation of the website. Users are therefore not granted the right to object.

Use of Matomo

Description and scope of data processing

We use the web analytics service Matomo to tailor this website to your needs.

When you visit individual pages of our website, the following data is stored:

  1. two bytes of the IP address of the user’s accessing system
  2. the accessed website
  3. the website from which the user accessed the website (referrer)
  4. the sub-pages accessed from the website
  5. the length of time the user spends on the website
  6. how often the website was accessed

The software runs on the DLR servers. The user’s personal data is only stored there.

Legal basis for the processing of personal data

The legal basis for the processing of the user’s personal data is Article 6(1)(f) DSGVO.

Purposes of the data processing

The processing of the user’s personal data enables us to analyse the surfing behaviour of our users. By analysing the collected data, we are able to compile information on how the individual components of our website are used. This helps us to constantly improve our website and its user-friendliness. Profiling does not take place. These purposes justify our legitimate interests in processing the data in accordance with Article 6(1)(f) DSGVO. The anonymisation of the IP address adequately takes into account the user’s interest in the protection of his or her personal data.

Duration of the storage

The software is configured so that the IP addresses are not stored completely. Two bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, the shortened IP address can no longer be assigned to the accessing computer.

Right to object (opt-out option)

We offer users of our website an opt-out option for the analysis procedure. To do this, the corresponding link must be clicked. This will create an opt-Out cookie, which instructs our system not to store the user’s data.

Newsletter

If you would like to subscribe to the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use this data exclusively for sending the requested information and do not pass this data on to third parties.

The processing of the data entered in the newsletter subscription form is based exclusively on your consent (Article 6(1)(a) DSGVO). You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the “Unsubscribe” link in the newsletter. The lawfulness of the data processing carried out until then remains unaffected by this.

The data deposited with us for the purpose of registering for the newsletter will be stored by us until you unsubscribe from the newsletter or by the newsletter service provider and deleted from the newsletter distribution list after you unsubscribe from the newsletter or after the purpose no longer applies. We reserve the right to remove email addresses from our newsletter distribution list at our own discretion within the scope of our legitimate interest pursuant to Article 6(1)(f) DSGVO.

After you have unsubscribed from the newsletter distribution list, your email address may be stored by us in a blacklist to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of Article 6(1)(f) DSGVO). The storage in the blacklist is indefinite. You can object to the storage if your interests outweigh our legitimate interest.

Rights of the data subjects

Right to information

Users may request confirmation from us, as the controller, as to whether personal data relating to them are being processed by us.

If such processing is taking place, users may request the following information from the controller:

  • the purposes for which the personal data are processed;
  • the categories of personal data which are processed;
  • the recipients or categories of recipients to whom the personal data concerning them have been or will be disclosed;
  • the planned duration of the storage of the personal data relating to the users or, if specific information on this is not possible, criteria for determining the storage duration;
  • the existence of a right to rectification or erasure of personal data concerning the users, a right to restriction of processing by the controller or a right to object to such processing;
  • the existence of a right of appeal to a supervisory authority;
  • any available information on the origin of the data if the personal data are not collected from the data subject;
  • the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

Users have the right to request information on whether personal data concerning them are transferred to a third country or to an international organisation. In this context, they may request to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in relation to the transfer.

This right of access may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.

Right of rectification

Users have a right of rectification and/or completion vis-à-vis the controller if the personal data processed concerning them are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

The right of rectification may be restricted to the extent that it is likely to render impossible or seriously prejudice the achievement of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.

Right to restriction of processing

Users may request the restriction of the processing of personal data concerning them under the following conditions:

  • where users contest the accuracy of the personal data concerning them for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;
  • the controller no longer needs the personal data for the purposes of processing, but the users need them for the assertion, exercise or defence of legal claims, or
  • where users have objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override their grounds.

Where the processing of personal data relating to users has been restricted, such data may be processed, with the exception of their storage, only with the consent of the users or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.

Where the restriction of processing has been restricted in accordance with the above conditions, users shall be informed by the controller before the restriction is lifted.

The right of users to restrict processing may in turn be restricted to the extent that it is likely to render impossible or seriously prejudice the achievement of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.

Right to erasure

Obligation to delete

Users may request the controller to delete personal data concerning them without delay and the controller is obliged to delete such data without delay if one of the following reasons applies:

  • The personal data concerning the user are no longer necessary for the purposes for which they were collected or otherwise processed.
  • Users withdraw their consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
  • Users object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or object to the processing pursuant to Article 21(2) of the GDPR.
  • The personal data concerning the user have been processed unlawfully.
  • The deletion of the personal data concerning the user is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data concerning the user have been collected in relation to information society services provided pursuant to Article 8(1) of the GDPR.

Information to third parties

If the controller has made the personal data concerning the data subject public and is obliged to erase it pursuant to Article 17(1) of the GDPR, the controller shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that data subjects have requested erasure of any links to, or copies or replications of, those personal data.

Exceptions

The right to erasure does not exist insofar as the processing is necessary

  • to exercise the right to freedom of expression and information;
  • for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, where the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
  • for the assertion, exercise or defence of legal claims.

Right to information

Where users have exercised the right to rectification, erasure or restriction of processing vis-à-vis the controller, the latter shall be obliged to communicate this rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning them have been disclosed, unless this proves impossible or involves a disproportionate effort. Users have the right to be informed of these recipients by the controller.

Right to data portability

Users have the right to receive the personal data concerning them that they have provided to the controller in a structured, commonly used and machine-readable format. In addition, users have the right to transmit this data to another controller without hindrance by the controller to whom the personal data has been provided, provided that

  • the processing is based on consent pursuant to Article 6(1)(a) DSGVO or Article 9(2)(a) DSGVO or on a contract pursuant to Article 6(1)(b) DSGVO; and
  • the processing is carried out with the aid of automated procedures.

In exercising this right, users also have the right to have personal data relating to them transferred directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this. The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right of objection

Users have the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them carried out on the basis of Article 6(1)(e) of the GDPR, including profiling based on these provisions.

The controller shall no longer process the personal data concerning the user unless it can demonstrate compelling legitimate grounds for the processing which override their interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Users shall be able to exercise their right to object in relation to the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

Users also have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR.

The user’s right to object may be restricted to the extent that it is likely to render impossible or seriously impair the realisation of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.

Right to revoke the declaration of consent under data protection law

Users have the right to revoke their declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Automated decision in individual cases including profiling

Users have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This does not apply if the decision

  • is necessary for the conclusion or performance of a contract between the users and the controller,
  • is authorised by Union or Member State legislation to which the controller is subject and that legislation contains appropriate measures to safeguard the rights and freedoms of users and their legitimate interests; or
  • takes place with the express consent of the users.

However, such decisions shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms and legitimate interests of users.

With regard to the cases referred to in a) and c), the controller shall take reasonable steps to safeguard the rights and freedoms as well as the legitimate interests of users, including at least the right to obtain the intervention of a person on the part of the controller, to express his or her point of view and to contest the decision.

Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, users shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, place of work or the place of the alleged infringement, if they consider that the processing of personal data relating to them infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.