1.1. This Privacy Notice been drawn up to provide you with an overview of how we record, save, process, pass on or transmit your data when you visit our website or use the services offered on our website.
1.2. When processing your personal data, we strictly adhere to the data protection specifications of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018. We also follow guidance provided by the Information Commissioner’s Office.
1.3. Personal data comprises all data that relates to you personally, including your IP address, name, address, e-mail data and user behavior.
1.4. We reserve the right to modify the content of this Privacy Notice and therefore recommend that you consult this notice at regular intervals.
1.5. The controller as per Art. 4 para. 7 of the EU General Data Protection Regulation (GDPR) is DKMS Foundation (also known as DKMS UK). DKMS Registry gGmbH (Kressbach 1, 72072, Tübingen, Germany) is also a joint controller of DKMS UK’s personal data relating to blood stem cell donor recruitment, registration and collection.
1.6 DKMS UK’s data protection officer can be contacted by email at: email@example.com or by writing to our postal address with reference to the “Data Protection Officer”.
We record data relating to you when you visit our website or use our services offered on the website. Depending on how you use our website, this may comprise the following information:
2.1. Purely informational use: You can visit our website without providing any personal data. When you use the website purely for informational purposes, in other words if you do not use our homepage to donate money, register as a blood stem cell donor, complete a contact form or transfer information to us in any other way, we do not record any personal data, with the exception of the data that your browser automatically transmits to our server in order to allow you to visit our website. If you wish to view our website, we record the following data, which is technically necessary in order for us to display our website to you as well as to ensure stability and security:
2.2. In addition to providing a website for informational purposes, we provide you with various services (donating money, ordering a registration kit, contact forms, etc), which you can use if interested. To do this, you usually need to provide further personal data, which we require in order to provide the respective service.
2.2.1. Contact via e-mail or contact form: If you contact us by e-mail or one of the contact forms provided when visiting our website, we will additionally process and save the data that you have provided (your e-mail address and, possibly, your name and phone number) in order to answer your questions. User data may be saved in a customer relationship management system (CRM system) or some comparable system.
2.2.2. Donating money via our website: If you would like to use the option provided on our website to donate money, we will also process the data you share that is required to perform the requested transaction. The way we process your personal data depends on the selected payment method:
2.2.3. Ordering a blood stem cell donor registration kit (sometimes also referred to as a “buccal swab kit): When you visit our website, if you decide to order a kit to register as a blood stem cell donor, we process the following information that you provide directly to us through the registration process:
1. Contact details (name, address, email, phone)
2. Biological sex
3. Height and weight
4. Medical and GP details
6. Date of birth
7. Genetic data collected from returned buccal swabs (if returned to us).
If you return your buccal swabs and are registered as a potential blood stem cell donor, we will retain your data on the DKMS database and the UK Stem Cell Registry until your 61st birthday, unless you withdraw your consent and ask us to remove it before then.
2.2.4. Links to websites of third-party providers
At various places on our website there are links to third-party provider websites. After clicking on the link provided, you are forwarded to the website of the third-party provider concerned. In the process of forwarding, user information is transmitted to the third-party provider. If you send information to or via these sites of third-party providers, we recommend that you read the data protection privacy policies for these sites before providing them with any further information that can be assigned to you personally. For information with regard to how your data is handled while using the websites of third-party providers, please refer to the respective data protection policies of the third-party providers. We are not responsible for their operation, including how they handle data.
3.1. We only process your personal data to the extent that is necessary in order to provide a working website and to provide our content and services. Personal data is only processed on a regular basis where this is permitted by statutory provisions or where the person concerned has given consent.
3.2. If you use our website purely for informational purposes, we record only the data that is technically necessary in order for us to display our website to you as well as ensure stability and security. The legal basis for processing is “legitimate interest” under Art. 6 para. 1 (f) of the GDPR.
3.3. When you contact us by e-mail or via a contact form, your personal data will only be used for the purpose of answering your request. The legal basis for processing is “legitimate interest” under Art. 6 para. 1 (f) of the GDPR.
3.4. If you use our website to donate money, your data shall be processed only to the extent that this is necessary to fulfill the donation contract. The legal basis for processing your personal data is “performance of a contract” under Art. 6 para. 1 (b) of the GDPR.
3.5. If you use our website to request delivery of a blood stem cell registration kit (also known as a buccal swab kit), we shall use the data you provide in this process to send you the registration kit via post and to accelerate the important registration process. The personal and genetic data we collect via the registration process and via the return of the buccal swab is used for the following purposes:
3.6. On the website we process your e-mail address solely for the purpose of any existing queries and information relating to the registration kit order.
3.7. The legal basis for processing your personal/genetic data is your express and freely given consent provided in accordance with Art. 6 para. 1 (a) of the GDPR.
4.1. When you use our website, your data is transmitted to us in encrypted form in order to prevent access by unauthorised third parties. We save your data on specially protected servers. Access to that personal data is only possible for those DKMS employees with special authorisation, all of whom are familiar with the relevant Data Protection Regulations and compelled to comply with them.
5.1. Your personal data is passed on to third parties in the following circumstances:
5.2. We do not sell or rent your data to any other companies or organisations. We will under no circumstances use your e-mail address or other data without your agreement for any other purposes for which you have not given your consent.
6.1. We will only save any personal data that you have transmitted or provided until the purpose for doing so has been fulfilled, until you revoke your consent, until you object to the data being processed or until you request the deletion of your data.
Using our website purely for informational purposes
6.2. If you use the website purely for informational purposes, we will save your data on our servers only for the duration of your visit to our website. Once you leave our website, your data will be immediately deleted.
Contacting us by email or using a contact form on the website
6.3. If you contact us by e-mail or using one of the contact forms on our website, we will delete any data recorded in this context once it is no longer necessary to save the data or will restrict processing if any statutory storage obligations exist. We check necessity on a regular basis.
6.4. If you have used our website to donate money and we processed data to issue you with confirmation of the donation we will save your data until you revoke your consent to the data being processed or until you request the deletion of your data in accordance with the procedure described under section 8. In this case, your data will be blocked and then deleted once any statutory archiving periods have expired.
Ordering and returning a blood stem cell donor registration kit
6.5. If you have used our website to order a registration kit, we will retain your personal data in line with the retention periods set out in the table below, depending upon your personal profile, whether or not your return the buccal swab and whether or not you consent to the use of your data for alternative or additional data processing purposes.
6.6. In the event that you do not return your buccal mouth swab, we will make at least two attempts to contact you and request you return it by e-mail. More attempts may be made for potential donors in priority categories, such as young male donors or those from minority ethnic and racial backgrounds. If these attempts elicit no response, your data will be blocked, ie, you will no longer receive any messages from us, and then deleted.
Summary of DKMS retention periods
Personal Profile: Registered potential blood stem donors (up to age 61)
Nature of personal data collected, processed and stored:
Data retention periods:
Retained until the age or 61 unless:
Personal Profile: Online registrants (all ages) who never return buccal swabs
Nature of personal data collected, processed and stored:
Data retention periods: Retained for 12 months post-dispatch of swab pack
Personal Profile: Fundraising supporters
Registered potential blood stem cell donors who agree to become fundraising supporters after reaching the age of 61
Nature of personal data collected, processed and stored:
Data retention periods: Current financial year, plus 6 years from last financial donation
Personal Profile: Ineligible donors identified during online registration process
Nature of personal data collected, processed and stored:
Data retention periods: Retained for 12 months, unless consent given for alternative processing purpose, eg,fundraising
Personal Profile: Ineligible donors identified post registration, during the selection and matching process
Nature of personal data collected, processed and stored:
Data retention periods: Retained for 12 months, unless consent given for alternative processing purpose, eg, fundraising
7.1. By becoming part of the DKMS UK database of potential blood stem cell donors, you will receive essential communications related to the operation of the UK stem cell register (including information about the process or regulation of blood stem cell donation, and any changes to that process or regulation), including an annual letter/email from us, asking you to confirm your up-to-date contact details and to inform us of any personal information changes necessary to being part of our database and the register.
7.2. We believe it is important for us to remain in contact with you, particularly if you are a registered blood stem cell donor, for the following reasons. The communication specified under para 7.1 is directly linked to successful donations. When someone registers as a potential blood stem cell donor, it could be many years before they are called upon as a donor, which means there is a risk of this person forgetting about their commitment. Therefore, we keep in contact with our donors to remind them of their registration, and provide the news and information needed to increase the likelihood they are ready, available and contactable if they are called upon as a match for a patient. In the event of a stem cell donation, it is essential that the potential donor is available, as time is of the essence for the affected patient. This minimum level of contact therefore increases the possibility of giving someone a second chance of life.
7.3. Provided you have given your consent, in addition to the information specified under item 7.1, you may also receive promotional emails and mailings that contain general information regarding our activities.
7.4. If you no longer wish to receive mailings in the future, you can cancel this service at any time without providing any reason for this. To do so, please send us an e-mail with the subject “NONEWS” to firstname.lastname@example.org or tell us this using the contact data in the imprint.
8.1. You have the following rights with regard to your personal data that we process:
8.2. If you have given your consent for us to process your personal data, you can revoke this at any time. Once you have revoked this, we will no longer process your personal data. It is possible here to revoke consent for specific purposes such as receiving a newsletter.
8.3. If you wish to exercise your rights described above, please submit your request to: DKMS Foundation, Ashburnham House, Castle Row, Horticultural Place, London, W4 4JQ or by e-mail to: email@example.com
8.4. You also have the right to lodge a complaint with the Information Commissioner’s Office about the way in which we process your personal data.
Right to object to processing – information pursuant to Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6 (1) (f) GDPR (data processing based on “legitimate interest”). If you object, we will longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
9.3. You can configure your browser settings according to your preferences and, for example, refuse to accept non-essential cookies or all cookies. Moreover, you can prevent or restrict the installation of cookies through the relevant settings of your internet browser. You can also delete previously stored cookies at any time. However, the steps and measures that are necessary to do so depend on the specific internet browser that you use. If you have any questions, therefore, please refer to the help function or documentation for your internet browser or contact the corresponding manufacturer for support. If no consent is given in the “privacy settings” pop-up (or if it is revoked via the “Consent Management” link in the footer), only cookies that store this block decision are set.
9.4. We use “local storage” and “session storage” as alternatives to cookies that are integrated in the browser. The web storage stores the data securely in the user’s browser and does not transmit it unencrypted over the internet.
9.4.2. Session storage: The scope includes an individual browser window/tab and is automatically cleared when the browser window is closed.
PRO Analytics Suite
10.1. On our website, we use the Piwik PRO Analytics Suite (“Piwik PRO”) consent management tool from the company Piwik PRO GmbH, Lina-Bommer-Weg 6, 51149 Cologne, Germany.
10.2. The consent management tool includes a graphical user interface element called a “pop-up” to prompt for privacy settings. The “privacy settings” pop-up actively asks for your permission when you first visit our site to allow us to collect analytical data about your user behavior. Similarly, you can use the privacy settings pop-up to decide for yourself whether external content is displayed to you on our site. Consent to cookies, analytics, tag manager, social embeds and YouTube can be activated and deactivated at any time via the “consent management” link in the footer of this website.
10.4. As mentioned in para 10.1, we use the analysis program Piwik PRO Analytics Suite, the software for which is used to collect data that enables us to tailor the design of our website to user requirements and to statistically evaluate the flow of visitors for marketing and optimisation purposes. Pseudonymous usage profiles are also created in this context. Cookies are used for these purposes, which are stored on your computer and which enable a pseudonymous analysis of your use of our website. The IP address is immediately truncated after collection and prior to storage. Piwik PRO Marketing Suite Cloud is hosted on Microsoft Azure in Germany.
10.5. Piwik PRO always analyses the use of our website in anonymised form. If the user consents to Analytics, the analysis of the use of our website is aggregated pseudonymously. This makes it possible, for example, to identify returning users and perform more precise analyses.
10.6. You can specify in the “privacy settings” pop-up and subsequently in the footer via the “consent management” link whether you consent to us using Piwik PRO in the manner described. If you choose not to do so, a Piwik PRO deactivation cookie will be deposited on your end device (“opt-out” cookie). Please note that your browser must accept cookies in order for this cookie to be deposited. If you delete the deactivation cookie, you may have to opt-out again.
Piwik Tag Manager
AddSearch search function
10.9. The results from the search box on our website are made available by the web service of AddSearch Oy, Töölönkatu 4, FI-00100 Helsinki, Finland (“AddSearch”). When you actively use the search box on our website, a data transfer to AddSearch takes place. Only the search terms you enter and your IP address are transmitted.
10.10. In the context of the use of AddSearch, AddSearch uses “Amazon Web Services (AWS)”, based in the USA, as an order processor. Accordingly, some data processing may also take place outside the EU or the EEA. To the extent that AWS thereby transfers your personal data to the USA, we will take precautions to protect your personal data in the best possible way, among other things by using standard contractual clauses from the EU Commission (under Art. 46 (2) (c) GDPR). For more information about standard contractual clauses regarding the transfer of personal data to processors outside the EU or EEA, please visit the European Commission’s page on Standard Contractual Clauses.
Amazon Web Services: Hosting
10.12. For hosting the database and web content on our website, we use the Amazon Web Services (“AWS”) service provided by Amazon Web Services, Inc. Box 81226, Seattle, WA 98108-1226, USA. The data is stored exclusively in a German data center (Frankfurt/Main), which is certified according to ISO 27001, 27017 and 2018, as well as PCI DSS Level 1. We only have strictly limited access rights and the data is automatically encrypted.
10.13. For technical reasons, infrastructure maintenance may be carried out by AWS subcontractors from the USA. Accordingly, some data processing may also take place outside the EU or the EEA. To the extent that AWS thereby transfers your personal data to the USA, we will take precautions to protect your personal data in the best possible way, among other things by using standard contractual clauses of the EU Commission (Art. 46 (2) (c) GDPR). For more information about standard contractual clauses for the transfer of personal data to processors outside the EU or EEA, please visit the European Commission’s page on Standard Contractual Clauses.
10.14. The transmission of your personal data for these purposes is based on our legitimate interest in being able to provide you with the technical infrastructure of our website, in particular web servers, databases and the sending of emails, pursuant to Art. 6 (1) (f) GDPR. For more information about AWS and privacy, please see AWS Privacy Notice and their page on GDPR compliance when using AWS services.
10.15. As part of the web hosting with AWS, we use technologies provided by AWS or by the Amazon CloudFront content delivery network (“CDN”). A CDN makes extensive media files available via a regionally distributed server network in order to conserve its own server resources. Before the website loads in your web browser, we use Amazon CloudFront to build SSL encryption to the website and to build other security features to protect against harmful influences from the World Wide Web.
10.17. If you access Amazon Smile via a link on our website, shop at Amazon Smile and select DKMS as your organisation, we will receive 0.5% of your purchase amount as a donation. There are no additional costs involved, as the donation is made directly from Amazon to DKMS Foundation. After you leave our website and go to Amazon Smile, we do not receive or process any personal data about you. For more information about Amazon’s use of data, please see Amazon’s Privacy Notice.
11.1. We use social media plug-ins from various social networks on our website. If you access a specific page on our website that contains such a plug-in, your browser establishes a direct connection with the servers of the social networks after you have given your permission in the “privacy settings” pop-up to display external content on our site. The content of the plug-in is transmitted directly to your browser by the social networks and integrated into the website by the browser. By making a selection in the “privacy settings” pop-up, you decide which external content is displayed on our website and you can change this setting at any time by clicking on the “consent management” link in the website footer.
11.2. The integration of the plug-ins informs the social networks that you have accessed the corresponding page on our website. If you are logged in to one or more social networks, the social networks in question can assign the visit to your account. If you interact with the plug-ins, for example by clicking the “Like” button or sending a tweet, the corresponding information is transmitted from your browser directly to, eg, Facebook and Twitter and stored there.
11.3. We are not responsible for the services of third-party providers whose offers are linked on our website, such as Twitter or Facebook. These third-party providers are not able to associate the IP addresses with other personal data collected via the DKMS website. More information on data collection by third-party providers can be found on the respective websites of these providers.
11.4.1. We have no control over the data collected and data processing operations, nor are we aware of the full extent of the data collection, the purposes of the processing or the retention periods. We also have no information on the deletion of the collected data by the plug-in provider.
11.4.2. The plug-in provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research and/or the customised design of its website. Such analysis is carried out in particular (even for users who are not logged in) to provide targeted advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. The legal basis for the use of the plug-ins is our legitimate interest in giving you the opportunity to interact with the social networks and other users so that we can improve our offer and make it more interesting for you as a user, Art. 6 (1) (f) GDPR.
11.4.3. The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the plug-in provider, the data we collect is directly associated with your account at the plug-in provider. If you click the activated button and link to the page, for example, the plug-in provider also stores this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this prevents association with your profile at the plug-in provider.
11.4.4. Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the privacy policies of these providers disclosed below. There you will also find further information about your respective rights and privacy settings. 11.4.5. Addresses of the respective plug-in providers and links to their privacy policies:
12.1. We have integrated YouTube videos into our website, which are stored on the YouTube page of DKMS and can be played back directly on our website. YouTube is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
12.3 By integrating YouTube, we improve our offer and can make it more interesting for you as a user. The legal basis for the integration is our legitimate interest according to Art. 6 (1) (f) GDPR.
If you have any questions regarding this Website Privacy Notice, please contact our data protection officer at firstname.lastname@example.org.