1.2 When processing your personal data, we strictly observe the data protection requirements of the General Data Protection Regulation (GDPR) and data protection guidance provided by the Information Commissioners office (ICO).
1.3 Personal data refers to any information that can be related to you personally and can be used to identify you e.g. IP address, name, address, email data, user behavior.
1.5 The Data Controller pursuant to Art. 4 (7) GDPR is DKMS Foundation (see legal notice). Our Data Protection Officer can be reached at email@example.com or at our postal address with “The Data Protection Officer” as the addressee.
We collect information from you when you visit our website or use the services we offer on the website. Depending on how you use our website, this may include the following information:
2.1 For informational purposes only: You can visit our website without providing any personal data. When using the website for informational purposes only i.e. without donating money through our website, filling out a contact form, or otherwise submitting information to us, we do not collect any personal data, except for the data that your browser automatically transmits to our server to enable your use of our website.
For the technical provision of our website and to ensure the security of our information technology systems, it is necessary for us to process certain automatically transmitted information from you so that your browser can display our website and you can use it. This information is automatically collected every time our website is visited and stored in our server log files for x years. This information refers to the operating system of the device you are using. The following information is collected:
This information refers to the computer system used. We use this data (with the exception of the IP number of your computer) solely for statistical purposes to measure demand for our web content and services. The data is recorded cumulatively for all users of the website, which means that it is not possible to assign this data to a specific person. This data is not merged with data from other data sources.
2.2 In addition to the purely informational use of our website, we offer various services (monetary donation, home swab kit registration, contact us form) that you can use if interested. This generally requires you to supply additional personal data that we need to provide the respective service.
2.2.1 Contact by email or contact form: If you contact us by email or one of the contact forms on our website, the data you provide will also be processed (your email address, possibly your name and telephone number) and stored by us in order for us to be able to answer your questions. User data can be stored in a Customer Relationship Management (CRM) system or similar.
2.2.2: If you use the option to donate money on our website, we will also process those data provided by you that are necessary to carry out the requested transaction. In this regard, the processing of your personal data differs, depending on the chosen means of payment:
• Payment by credit card: If you choose to pay by credit card, your name, address and email address will be processed by us for the purpose of completing the requested transaction and sending you a donation receipt, if applicable.
• Payment by direct debit: Insofar as you use the option on our website to make the monetary donation by direct debit, your name, address, email address and account details will be processed by us for the purpose of carrying out the transaction and, if necessary, sending you a donation receipt.
• Payment by PayPal: Should you decide to pay with the online payment service provider PayPal, you will be redirected to a PayPal website. PayPal is a service of PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal assumes the function of an online payment service provider as well as a trustee and offers protective services.
Here, the data protection provisions of PayPal generally apply. These can be found in PayPal’s Privacy Statement. Any personal data you provide when choosing this payment method will only be processed by us to the extent necessary to allocate the payment made. This includes your name, your email address and, in some cases, your address. However, this only applies insofar as you have consented to your address and name being passed on to us as part of the payment process on the PayPal website in order to confirm your donation.
• Payment by bank transfer: Should you decide to pay by bank transfer, only the data processed during an information seeking visit will be processed during your visit to the website.
• Payment by SMS: Should you decide to make a donation by SMS, only your phone number will be processed by us.
2.2.3. Home swab kit orders: Should you decide to order a swab kit for registration as a stem cell donor when visiting our website, your name, address and email address as well as the information on your genetic background and your telephone number, insofar as you have provided us with these, will be processed by us in this context.
2.2.4 Links to third-party websites:
Our website contains links to third-party websites in various places. After clicking on the embedded link, you will be redirected to the website of the respective third-party provider. During the redirect process, user data is transferred to the respective third-party provider. If you send information to or via these third-party sites, we recommend that you read the privacy policies of these sites before providing them with any further information that may be personally identifiable. For information on how your data is processed on third-party websites, please refer to the respective privacy policies of the third-party providers. We are not responsible for how they operate or handle data.
3.1 We only process your personal data to the extent that it is necessary to provide a functional website, content and services, and where we are legally permitted to do so. The corresponding legal bases are listed individually below. Moreover, we are always entitled to process personal data if the data subject has consented (Art. 6 (1) a, Art. 7 GDPR), if we are obliged to fulfill contractual or pre-contractual obligations (Art. 6 (1) b GDPR), if we have to fulfill legal obligations (Art. 6 (1) c GDPR) or if we protect our legitimate interests (Art. 6 (1) f GDPR).
3.2 If you use our website for purely informational purposes, we only collect the data that is technically necessary for us to display our website to you and to ensure its stability and security. The legal basis for processing is our legitimate interest according to Art. 6 (1) (1) f GDPR.
3.3 When you contact us by email or via the contact form, your personal data will only be used for the purpose of answering your request. The legal basis for processing is our legitimate interest according to Art. 6 (1) (1) f GDPR.
3.4 If you use our website to donate money, your data will only be processed to the extent necessary for the fulfillment of the donation contract. The legal basis for the processing of your personal data is the fulfillment of a contractual obligation according to Art. 6 (1) (1) b GDPR.
3.5 Insofar as you request a home swab kit via our website, the data you provide in this regard will be used by us for the purpose of sending you the home swab kit by post and expediting the important process of registration. The information about your genetic background is only used to pre-fill the declaration of consent to be sent to you by post with the specified data and thus to expedite the processes of the registration procedure. We process your email address only for the purpose of dealing with any queries and information relating to the registration set order. The legal basis for the processing is the consent given by you in accordance with Art. 6 (1) (1) a GDPR.
When you use our website, your data is transmitted to us in encrypted form to prevent access by unauthorized third parties. We store your data on specially protected servers. Access to personal data is only possible for a few specially authorised DKMS employees, all of whom are familiar with and committed to the relevant data protection regulations.
Only our employees have access to your personal data. In addition, we sometimes share personal data with order processors, in particular payment service providers, service providers and financial institutions with whom we cooperate. We are entitled to do this if the data subject has consented to this (Art. 6 (1) a, Art. 7 GDPR), if we thereby fulfill contractual or pre-contractual obligations (Art. 6 (1) b GDPR), if we thereby fulfill a legal obligation (Art. 6 (1) c GDPR) or if we safeguard our legitimate interests (Art. 6 (1) f GDPR). The service providers have been carefully selected and commissioned by us, are bound by our instructions and are monitored on a regular basis. We conclude a so-called order processing agreement with order processors in accordance with Art. 28 GDPR, according to which they also undertake to comply with data protection.
We assure you that we do not sell or rent your information to other companies or organisations. Under no circumstances will we use your email address or other data without your consent for other purposes for which you have not given your consent.
6.1 We will only store personal data that you have transmitted or provided until the purpose for doing so has been fulfilled, until you revoke your consent, until you object to the data being processed or until you request the deletion of your data.
6.2 If you use our website for informational purposes only, we store your data on our servers exclusively for the duration of your visit to our website. Once you leave our website, your data will be deleted immediately.
6.3 If you contact us by email or one of the contact forms provided when using our website, we will delete the data collected in this context once it is no longer necessary to store it or restrict its processing if any statutory retention obligations exist. We check necessity on a regular basis.
6.4 If you have used our website to donate money and your contact details are processed by us in order to issue you with a donation receipt, your data will be stored by us until you have revoked your consent to the processing of your personal data or until you have requested the deletion of your personal data in accordance with the procedure described in section 8. In this case, your data will be blocked and deleted after the expiration of any existing legal retention periods.
6.5 Insofar as you have used our website to order a home swab kit, any personal data you have provided in this context will be stored by us until the relevant process has been completed by the return of the swab kit. If, contrary to expectations, the swab kit is not returned to us within a certain time frame, we will stop contacting you about your potential to be a stem cell donor after we have attempted to contact you without success for the purpose of requesting the return of the swab kit. In this case, the data will only be accessed to a limited extent by a few of our employees for the purpose of preventing repeat orders of home swab kits by the same person while the return of the swab kit is still pending. After this purpose has also been fulfilled, your data will be deleted.
6.6 Insofar as you have signed and returned the home swab kit and the declaration of consent contained therein to us, the further processing of your personal data shall be based on this declaration of consent, unless you have changed your preferences after the consent was signed.
7.1 You will receive medical information, news about process changes or general information concerning your individual process from us if you have made a monetary donation, ordered a home swab kit or are registered as a stem cell donor with us. This is exclusively process-related information and not advertising mails.
7.2 We would like to provide you with background information, which is why it is important for us to stay in contact with you, especially if you are a registered stem cell donor. The transfer of the information specified in section 7.1. is essential for the efficient execution of a possible stem cell donation. The primary purpose of this is to keep in touch with our donors and thus increase the likelihood of you remembering your registration as a potential stem cell donor, which may have been years ago. Upholding a minimal level of communication improves the potential for delivering second chances at life. Only in this way can we reliably guarantee the availability and accessibility of potential stem cell donors and ensure that, in the event of a “match” with a sick patient, our donors can actually be reached and are available under the contact data stored with us. In the case of stem cell donation, the availability of the potential donor is elementary, as time is of the essence for the affected patient.
7.3 Insofar as you have consented to this, you will also receive newsletters (advertising mails) containing exclusively general information about our activities, in addition to the information listed in Section 7.1.
7.4 If you no longer wish to receive the newsletter in the future, you can unsubscribe from this service at any time and without giving reasons. For this purpose, please send an email with the subject “NONEWS” to firstname.lastname@example.org or notify us via the contact details provided in the legal notice.
8.1 You have the right to request confirmation as to whether personal data concerning you is being processed by us. If this is the case, we will gladly provide you with information about this personal data and the information listed in Art. 15 GDPR.
In addition, you have the following rights:
• Right to rectification, Art. 16 GDPR
• Right to erasure, Art. 17 GDPR
• Right to restriction of processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object to processing, Art. 21 GDPR
Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, under the conditions set out in Article 77 GDPR, if you believe that the processing of your personal data infringes data protection law.
8.2 If you have given your consent to the processing of your personal data, you can revoke this consent at any time. If you revoke your consent, this will restrict us from processing your personal data once you have notified us of your revocation. You can also limit the revocation of the processing of your personal data to specific purposes (e.g. newsletter) (restriction of processing).
8.3 To exercise your rights described above, please submit your request to DKMS UK, Ashburnham House, Castle Row, Horticultural Place, London W4 4JQ.
9.3 You can configure your browser settings according to your preferences and, for example, refuse to accept non-essential cookies or all cookies. Moreover, you can prevent or restrict the installation of cookies through the relevant settings of your internet browser. You can also delete previously stored cookies at any time. However, the steps and measures that are necessary to do so depend on the specific Internet browser that you use. If you have any questions, therefore, please refer to the help function or documentation for your internet browser or contact the corresponding manufacturer for support. If no consent is given in the “Privacy settings” pop-up (or if it is revoked via the “Consent Management” link in the footer), only cookies that store this block decision are set.
9.4 We use “local storage” and “session storage” as alternatives to cookies that are integrated in the browser. The web storage stores the data securely in the user’s browser and does not transmit it unencrypted over the Internet.
9.4.2 Session storage: The scope includes an individual browser window/tab and is automatically cleared when the browser window is closed.
10.1 On our website, we use the Piwik PRO Analytics Suite (“Piwik PRO”) consent management tool from the company Piwik PRO GmbH, Lina-Bommer-Weg 6, 51149 Cologne, Germany.
The Consent Management tool includes a graphical user interface element called a “pop-up” to prompt for privacy settings. The “Privacy settings” pop-up actively asks for your permission when you first visit our site to allow us to collect analytical data about your user behavior. Likewise, you can use the Privacy settings pop-up to decide for yourself whether external content is displayed to you on our site. Consent to cookies, Analytics, Tag Manager, social embeds and YouTube can be activated and deactivated at any time via the “Consent Management” link in the footer of this website.
Each permission can be activated and deactivated individually. All of the following points are dependent on the user granting this consent. If no consent is given in the Privacy settings pop-up or revoked via the “Consent Management” link in the footer, only cookies that store this block decision are set. The use of the Consent Management tool is based on our legitimate interest in a responsive design of our website, according to Art. 6 (1) f GDPR.
10.2 As mentioned in section 10.1, we use the analysis program Piwik PRO Analytics Suite (“Piwik PRO”) from the company Piwik PRO GmbH, Lina-Bommer-Weg 6, 51149 Cologne, Germany, on our website.
This software is used to collect data that enables us to tailor the design of our website to user requirements and to statistically evaluate the flow of visitors for marketing and optimisation purposes. Pseudonymous usage profiles are also created in this context. Cookies are used for this purpose, which are stored on your computer and which enable a pseudonymous analysis of your use of our website. The IP address is immediately truncated after collection and prior to storage. Piwik PRO Marketing Suite Cloud is hosted on Microsoft Azure in Germany.
Piwik PRO always analyses the use of our website in anonymised form. If the user consents to Analytics, the analysis of the use of our website is aggregated pseudonymously. This makes it possible, for example, to identify returning users and perform more precise analyses.
You can specify in the “Privacy Settings” pop-up and subsequently in the footer via the “Consent Management” link whether you consent to us using Piwik PRO in the manner described. If you choose not to do so, a Piwik PRO deactivation cookie will be deposited on your end device (“opt-out” cookie). Please note that your browser must accept cookies in order for this cookie to be deposited. If you delete the deactivation cookie, you may have to opt-out again.
If a corresponding consent has been given, the processing is based exclusively on this, Art. 6 (1) a GDPR.
10.3 Piwik Tag Manager
We continue to use Piwik PRO Tag Manager on our website. This service allows website tags to be managed via an interface. Piwik PRO Tag Manager does not set any cookies, only tags, and does not collect any personal data. The service triggers other tags, which in turn may collect data. A tag is only triggered if the user has consented to this beforehand. If the user does not grant specific permissions in the “Privacy Settings” pop-up, the corresponding tags will not be triggered. Tags that do not process personal data are always loaded. However, Piwik PRO Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it will apply to all analysis tags implemented with Piwik PRO Tag Manager.
10.4 AddSearch search function
The results from the search box on our website are made available by the web service of AddSearch Oy, Töölönkatu 4, FI-00100 Helsinki, Finland (“AddSearch”). When you actively use the search box on our website, a data transfer to AddSearch takes place. Only the search terms you enter and your IP address are transmitted.
In the context of the use of AddSearch, AddSearch uses “Amazon Web Services (AWS)”, based in the USA, as an order processor. Accordingly, some data processing may also take place outside the EU or the EEA. To the extent that AWS thereby transfers your personal data to the USA, we will take precautions to protect your personal data in the best possible way, among other things by using standard contractual clauses of the EU Commission (Art. 46 (2) c GDPR.
For more information about standard contractual clauses for the transfer of personal data to processors outside the EU or EEA, please visit https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.
10.5 Amazon Web Services: Hosting
For hosting the database and web content on our website, we use the Amazon Web Services (“AWS”) service provided by Amazon Web Services, Inc. Box 81226, Seattle, WA 98108-1226, USA. The data is stored exclusively in a German data center (Frankfurt/Main), which is certified according to ISO 27001, 27017 and 2018, as well as PCI DSS Level 1. We only have strictly limited access rights and the data is automatically encrypted.
For technical reasons, infrastructure maintenance may be carried out by AWS subcontractors from the USA. Accordingly, some data processing may also take place outside the EU or the EEA. To the extent that AWS thereby transfers your personal data to the USA, we will take precautions to protect your personal data in the best possible way, among other things by using standard contractual clauses of the EU Commission (Art. 46 (2) c GDPR.
For more information about standard contractual clauses for the transfer of personal data to processors outside the EU or EEA, please visit the European Commission’s page on Standard Contractual Clauses.
The transmission of your personal data for these purposes is based on our legitimate interest in being able to provide you with the technical infrastructure of our website, in particular web servers, databases and the sending of emails, pursuant to Art. 6 (1) f GDPR.
10.6 Amazon CloudFront
As part of the web hosting with AWS, we continue to use technologies provided by AWS or by the Amazon CloudFront content delivery network (“CDN”). A CDN makes extensive media files available via a regionally distributed server network in order to conserve its own server resources. Before the website loads in your web browser, we use Amazon CloudFront to build SSL encryption to the website and to build other security features to protect against harmful influences from the World Wide Web.
During this process, your IP address and other data are transmitted to Amazon CloudFront.
The legal basis for this is our legitimate interest in ensuring the accessibility of our website, Art. 6 (1) f GDPR.
10.7 Amazon Smile
If you access Amazon Smile via a link on our website, shop at Amazon Smile and select DKMS as your organisation, we will receive 0.5% of your purchase amount as a donation. There are no additional costs involved, as the donation is made directly from Amazon to DKMS gGmbH. After you leave our website and go to Amazon Smile, we do not receive or process any personal data about you.
For more information about Amazon’s use of data, please see Amazon’s Privacy Notice.
11.1 We use social media plug-ins from various social networks on our website. If you access a specific page on our website that contains such a plug-in, your browser establishes a direct connection with the servers of the social networks after you have given your permission in the “Privacy settings” pop-up to display external content on our site. The content of the plug-in is transmitted directly to your browser by the social networks and integrated into the website by the browser. By making a selection in the “Privacy Settings” pop-up, you decide which external content is displayed on our website and you can change this setting at any time by clicking on the “Consent Management” link in the website footer.
11.2 The integration of the plug-ins informs the social networks that you have accessed the corresponding page on our website. If you are logged in to one or more social networks, the social networks in question can assign the visit to your account. If you interact with the plug-ins, for example by clicking the “Like” button or sending a tweet, the corresponding information is transmitted from your browser directly to Facebook and Twitter and stored there.
11.3 We are not responsible for the services of third-party providers whose offers are linked on our website, such as Twitter or Facebook. These third-party providers are not able to associate the IP addresses with other personal data collected via the DKMS website. More information on data collection by third-party providers can be found on the respective websites of these providers.
11.4.1 We have no control over the data collected and data processing operations, nor are we aware of the full extent of the data collection, the purposes of the processing or the retention periods. We also have no information on the deletion of the collected data by the plug-in provider.
11.4.2 The plug-in provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research and/or the customised design of its website. Such analysis is carried out in particular (even for users who are not logged in) to provide targeted advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right.
The legal basis for the use of the plug-ins is our legitimate interest in giving you the opportunity to interact with the social networks and other users so that we can improve our offer and make it more interesting for you as a user, Art. 6 (1) (1) f GDPR.
11.4.3 The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the plug-in provider, the data we collect is directly associated with your account at the plug-in provider. If you click the activated button and link to the page, for example, the plug-in provider also stores this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this prevents association with your profile at the plug-in provider.
11.4.4 Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the privacy policies of these providers disclosed below. There you will also find further information about your respective rights and privacy settings.
11.4.5 Addresses of the respective plug-in providers and links to their privacy policies:
• Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA: Data Policy
12.1 We have integrated YouTube videos into our website, which are stored on the YouTube page of DKMS and can be played back directly on our website.
YouTube is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
12.3 By integrating YouTube, we improve our offer and can make it more interesting for you as a user. The legal basis for the integration is our legitimate interest according to Art. 6 (1) (1) f GDPR.
Information about your right of objection pursuant to Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6 (1) f GDPR (data processing based on a balance of interests). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
In individual cases, we also process your personal data for direct advertising purposes. If you do not wish to receive advertising, you have the right to object to this at any time; we will observe this objection for the future.
We will no longer process your data for the purposes of direct advertising if you object to processing for this purpose.
The objection can be made in any form and should be addressed to: