Privacy Notice

1. Overview

1.1. This Privacy Notice has been drawn up to provide you with an overview of how we record, save, process, pass on or transmit your data when you visit our website or use the services offered on our website.

1.2. When processing your personal data, we strictly adhere to the data protection specifications of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018. We also follow guidance provided by the Information Commissioner’s Office.

1.3. Personal data comprises all data that relates to you personally, including your IP address, name, address, e-mail data and user behaviour.

1.4. We reserve the right to modify the content of this Privacy Notice and therefore recommend that you consult this notice at regular intervals.

1.5. The controller as per Article. 4 para. 7 of the EU General Data Protection Regulation (GDPR) is DKMS Foundation (also known as DKMS UK). DKMS Registry gGmbH (Kressbach 1, 72072, Tübingen, Germany) is also a joint controller of DKMS UK’s personal data relating to blood stem cell donor recruitment, registration and collection.

1.6. DKMS UK’s data protection officer can be contacted by email at: dataprotection@dkms.org.uk or by writing to our postal address with reference to the “Data Protection Officer”.

2. What personal data do we process?

We record data relating to you when you visit our website or use our services offered on the website. Depending on how you use our website, this may comprise the following information:

2.1. Purely informational use: You can visit our website without providing any personal data. When you use the website purely for informational purposes, in other words, if you do not use our homepage to donate money, register as a blood stem cell donor, complete a contact form or transfer information to us in any other way, we do not record any personal data, with the exception of the data that your browser automatically transmits to our server in order to allow you to visit our website. If you wish to view our website, we record the following data, which is technically necessary in order for us to display our website to you as well as to ensure stability and security:

  • IP address
  • Time zone difference to Greenwich Mean Time (GMT)
  • Country of access
  • Content of the request (ie, the specific page)
  • Date and time of the request
  • Website from which the request originates
  • Transmitted data volume
  • HTTP status code
  • Operating system and its interface
  • Language and version of the browser software
  • Whether cookies on/off
  • Notification whether access/retrieval was successful. This information relates to the computer system used. We use this data (with the exception of your computer’s IP number) solely for statistical purposes, to measure demand for our web content and services. We simply record this data cumulatively for all users of the website, meaning that it is not possible to assign the data to a specific person. This data is not merged with data from other data sources.

2.2. In addition to providing a website for informational purposes, we provide you with various services (donating money, ordering a registration kit, contact forms, etc), which you can use if interested. To do this, you usually need to provide further personal data, which we require in order to provide the respective service.

2.2.1. Contact via e-mail or contact form: If you contact us by e-mail or one of the contact forms provided when visiting our website, we will additionally process and save the data that you have provided (your e-mail address and, possibly, your name and phone number) in order to answer your questions. User data may be saved in a customer relationship management system (CRM system) or some comparable system.

2.2.2. Donating money via our website: If you would like to use the option provided on our website to donate money, we will also process the data you share that is required to perform the requested transaction. The way we process your personal data depends on the selected payment method:

  • Payment by credit card: When you select payment by credit card, we process your name, address and e-mail address to perform the required payment transaction and to send you confirmation of donation if required.
  • Payment by direct debit: If you use the option available on our website to donate money via direct debit, we will process your name, address and e-mail address as well as your account data to perform the payment transaction and to send you confirmation of donation, if required.
  • Payment by PayPal: If you decide to pay using the online payment services provider PayPal, you will be redirected to the PayPal website. PayPal is a service from PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg PayPal assumes the function of an online payment services provider and trustee and offers protection services. The data protection regulations of PayPal apply in this case. You can find PayPal’s Privacy Statement here. If you choose this payment method, we shall only process the personal data you provide to the extent that this is necessary to assign the payment made. This information is always your name, your e-mail address and, if applicable, your address. However, this only happens if you have agreed during the payment procedure on the PayPal website that your address and name will be passed on to us to confirm your donation.
  • Payment by Apple Pay: If you decide to make a donation via Apple Pay, you will be accessing services provided by Apple Inc, One Apple Park Way, Cupertino, California, USA, 95014, which assumes the function of an online payment services provider for those Apple account holders who choose to use these services. In these circumstances, for users in the European Economic Area, the data controller will be Apple Distribution International Limited in Ireland, and the relevant privacy notice and terms and conditions of use can be found at Legal - Apple Privacy Policy - Apple, while a more general overview can be found here Apple Pay & Privacy – Apple Support (UK). If you choose this payment method, we shall only process the personal data you provide to the extent that this is necessary to assign the payment made. This information is always your name, your e-mail address and, if applicable, your address.
  • Payment by Google Pay: If you decide to make a donation via Google Pay, you will be accessing services provided by Google LLC or its wholly-owned subsidiaries, including Google Payment Corp, which assumes the function of an online payment services provider for those Google account holders who choose to use these services. In these circumstance, for users in the European Economic Area, the data controller will be Google Payment Ireland Ltd, and the relevant privacy notice and terms and conditions of use can be found at Google Payments Privacy Notice and Google Pay/Google Payments Terms of Service. The Google Payments Privacy Notice describes how Google, the Google Pay Terms of Service shall prevail. If you choose this payment method, we shall only process the personal data you provide to the extent that this is necessary to assign the payment made. This information is always your name, your e-mail address and, if applicable, your address.
  • Payment by bank transfer: If you decide to pay via bank transfer, we do not process any personal data other than that which is processed when you visit our website purely for information purposes.
  • Payment by SMS: If you decide to make a donation via SMS, we process only your phone number.

2.2.3. Ordering a blood stem cell donor registration kit (sometimes also referred to as a “buccal swab kit): When you visit our website, if you decide to order a kit to register as a blood stem cell donor, we process the following information that you provide directly to us through the registration process:

1. Contact details (name, address, email, phone)

2. Biological sex

3. Height and weight

4. Medical and GP details

5. Ethnicity

6. Date of birth

7. Genetic data collected from returned buccal swabs (if returned to us).

If you return your buccal swabs and are registered as a potential blood stem cell donor, we will retain your data on the DKMS database and the UK Stem Cell Registry until your 61st birthday, unless you withdraw your consent and ask us to remove it before then.

2.2.4. Links to websites of third-party providers

At various places on our website there are links to third-party provider websites. After clicking on the link provided, you are forwarded to the website of the third-party provider concerned. In the process of forwarding, user information is transmitted to the third-party provider. If you send information to or via these sites of third-party providers, we recommend that you read the data protection privacy policies for these sites before providing them with any further information that can be assigned to you personally. For information with regard to how your data is handled while using the websites of third-party providers, please refer to the respective data protection policies of the third-party providers. We are not responsible for their operation, including how they handle data.

2.3 Studies Market Research

We are improving our website and our information material for you in order to provide you and other registered donors with the most helpful information possible about stem cell donation. For this reason, we invite you to participate in our surveys in order to better understand what it means to you to be registered with DKMS and what information you would like to receive from us in the future. All data, including personal data (e.g. gender, age, place of residence, origin), which you provide to us as part of the survey will be analyzed and evaluated anonymously. Typically, we transmit your data to market research companies who collect, anonymize and evaluate your data as our processor so that we only receive the results in anonymized form. Once the analyses have been evaluated, your personal data will be deleted immediately.

We process your data for the above purposes on the basis of the following legal bases:

- Your consent pursuant to Art. 6 para. 1 subpara. 1 lit. a UK GDPR,

- your consent pursuant to Art. 9 para. 2 lit. a UK GDPR, if we ask you for special personal data (e.g. its origin)

- to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f UK GDPR; our legitimate interest is based on our interest in encouraging as many stem cell donors as possible to register in order to save the lives of as many cancer patients as possible. In order to improve and optimize our vital work, we would like to better understand what it means for you to be registered with DKMS and what information you are interested in about stem cell donation.

3. For what purposes do we process your personal data?

3.1. We only process your personal data to the extent that is necessary in order to provide a working website and to provide our content and services. Personal data is only processed on a regular basis where this is permitted by statutory provisions or where the person concerned has given consent.

3.2. If you use our website purely for informational purposes, we record only the data that is technically necessary in order for us to display our website to you as well as ensure stability and security. The legal basis for processing is “legitimate interest” under Article 6 para. 1 (f) of the GDPR.

3.3. When you contact us by e-mail or via a contact form, your personal data will only be used for the purpose of answering your request. The legal basis for processing is “legitimate interest” under Article 6 para. 1 (f) of the GDPR.

3.4. If you use our website to donate money, your data shall be processed only to the extent that this is necessary to fulfill the donation contract. The legal basis for processing your personal data is “performance of a contract” under Article 6 para. 1 (b) of the GDPR.

3.5. If you use our website to request delivery of a blood stem cell registration kit (also known as a buccal swab kit), we shall use the data you provide in this process to send you the registration kit via post and to accelerate the important registration process. The personal and genetic data we collect via the registration process and via the return of the buccal swab is used for the following purposes:

  • To register you as a potential blood stem cell donor on the DKMS database and as part of the UK Stem Cell Registry.
  • To allow your tissue characteristics to be matched with those of potential blood stem cell transplant recipients (ie, patients with blood cancers or disorders in need of a potentially life-saving stem cell transplant).
  • Using your pseudonymised genetic data for scientific analysis, assessment and immunogenetics research aimed at improving the process and outcomes of blood stem cell transplantation for patients with blood cancers and disorders.
  • To fulfil and comply with any lawful requests from regulatory or enforcement agencies that oversee DKMS UK’s work in the field of blood stem cell donor recruitment and blood stem cell transplantation.

3.6. On the website we process your e-mail address solely for the purpose of any existing queries and information relating to the registration kit order.

3.7. The legal basis for processing your personal/genetic data is your express and freely given consent provided in accordance withArticle 6 para. 1 (a) of the GDPR.

4. How do we process your personal data?

4.1. When you use our website, your data is transmitted to us in encrypted form in order to prevent access by unauthorised third parties. We save your data on specially protected servers. Access to that personal data is only possible for those DKMS employees with special authorisation, all of whom are familiar with the relevant Data Protection Regulations and compelled to comply with them.

5. Is personal data passed on to third parties?

5.1. Your personal data is passed on to third parties in the following circumstances:

  • Donating money via the website: If you decide to use the online payment services provided on our website by PayPal, Apple Pay or Google Pay, your data will be passed on to those service providers or you will be directed to their websites in order for your personal data to be processed – for more information, see section 2.2.2 above of this Privacy Policy.
  • Ordering a blood stem cell donor registration kit (also referred to as a “buccal swab kit”): We use trusted third-party suppliers to process the data you provide via our online registration processes, in order to process your request for a buccal swab pack, where applicable, and to process your data and returned swabs. All our third-party suppliers work under strict data protection and confidentiality agreements in order to ensure the highest standards of data security, processing and storage. We will share and transfer your data as a potential and actual blood stem cell donor in pseudonymised form with:
    • Anthony Nolan (registered charity in England and Wales (no 803716; www.anthonynolan.org),
    • the National Marrow Donor Program (in the USA),
    • ZKRD (Zentrale Knochenmarkspender Registry Deutschland)
    • the World Marrow Donor Association, and with
    • other DKMS entities (namely, DKMS Germany and DKMS Registry)

in order that the information can be listed on the UK Stem Cell Registry and made available in the UK and internationally (including outside the EEA) to stem cell donor registries, transplant centres, search units, laboratories and other healthcare institutions for the purposing of

  • searching for,
  • finding and matching potential donors with patients in need of a blood stem cell transplant.

Only such data will be transmitted which is relevant for the donor search. In summary, this includes

  • a donor identification number,
  • biological sex,
  • date of birth,
  • tissue typing results,
  • the number of tissue typings conducted to date, and
  • the donor status (available or unavailable).

Names, addresses or similar identifying data will not be transmitted.

These registries, transplant centres and other providers are contractually required by us only to use your personal data for the agreed purposes and to prevent accidental disclosure to third parties. Authorised regulators and auditors may also have access to your data to fulfil their regulatory and safeguarding functions. In the event that you are identified as a potential match for a patient in need of a stem cell transplant, then we will contact you again to inform you about the next steps and seek your consent for the collection of additional personal and medical information and for the further processing, storage and use of the data that we hold about you.

5.2. We do not sell or rent your data to any other companies or organisations. We will under no circumstances use your e-mail address or other data without your agreement for any other purposes for which you have not given your consent.

6. How long do we save your personal data?

General overview

6.1. We will only save any personal data that you have transmitted or provided until the purpose for doing so has been fulfilled, until you revoke your consent, until you object to the data being processed or until you request the deletion of your data.

Using our website purely for informational purposes

6.2. If you use the website purely for informational purposes, we will save your data on our servers only for the duration of your visit to our website. Once you leave our website, your data will be immediately deleted.

Contacting us by email or using a contact form on the website

6.3. If you contact us by e-mail or using one of the contact forms on our website, we will delete any data recorded in this context once it is no longer necessary to save the data or will restrict processing if any statutory storage obligations exist. We check necessity on a regular basis.

Donating money

6.4. If you have used our website to donate money and we processed data to issue you with confirmation of the donation we will save your data until you revoke your consent to the data being processed or until you request the deletion of your data in accordance with the procedure described under section 8. In this case, your data will be blocked and then deleted once any statutory archiving periods have expired.

Ordering and returning a blood stem cell donor registration kit

6.5. If you have used our website to order a registration kit, we will retain your personal data in line with the retention periods set out in the table below, depending upon your personal profile, whether or not your return the buccal swab and whether or not you consent to the use of your data for alternative or additional data processing purposes.

6.6. In the event that you do not return your buccal mouth swab, we will make at least two attempts to contact you and request you return it by e-mail. More attempts may be made for potential donors in priority categories, such as young male donors or those from minority ethnic and racial backgrounds. If these attempts elicit no response, your data will be blocked, ie, you will no longer receive any messages from us, and then deleted.

Summary of DKMS retention periods

Personal Profile: Registered potential blood stem donors (up to age 61).

Nature of personal data collected, processed and stored:

  1. Contact details (name, address, email, phone)
  2. Biological sex
  3. Height and weight
  4. Medical and GP details
  5. Racial/ethnic heritage
  6. Genetic data from returned buccal swab
  7. Date of birth.

Data retention periods:

Retained until the age of 61 unless:

  • consent withdrawn or request received to remove details from the stem cell register; or
  • consent subsequently for processing of personal data for fundraising/supporter purposes, in which case only data in items 1 and 2 will be kept. (See also further below).
  • At the end of the retention period, the genetic data (item 6) stored in the swab becomes anonymised.

Personal Profile: Online registrants (all ages) who never return buccal swabs.

Nature of personal data collected, processed and stored:

  1. Contact details (name, address, email, phone)
  2. Biological sex
  3. Height and weight
  4. Medical and GP details
  5. Racial/ethnic heritage
  6. Date of birth.

Data retention periods: Retained for 12 months post-dispatch of swab pack.

Personal Profile: Fundraising supporters

Or

Registered potential blood stem cell donors who agree to become fundraising supporters after reaching the age of 61.

Nature of personal data collected, processed and stored:

  1. Contact details (name, address, email, phone)
  2. Biological sex
  3. Bank details
  4. Donation/supporter history.

Data retention periods: Current financial year, plus six years from last financial donation.

Personal Profile: Ineligible donors identified during online registration process.

Nature of personal data collected, processed and stored:

  1. Contact details (name, address, email, phone)
  2. Biological sex
  3. Height and weight
  4. Medical and GP details
  5. Racial/ethnic heritage
  6. Date of birth.

Data retention periods: Retained for 12 months, unless consent is given for alternative processing purposes, eg, fundraising.

Personal Profile: Ineligible donors identified post registration, during the selection and matching process.

Nature of personal data collected, processed and stored:

  1. Contact details (name, address, email, phone)
  2. Biological sex
  3. Height and weight
  4. Medical and GP details
  5. Racial/ethnic heritage
  6. Genetic data from returned buccal swab.

Data retention periods: Retained for 12 months, unless consent is given for alternative processing purposes, eg, fundraising.

7. What information will you receive from DKMS UK?

7.1. By becoming part of the DKMS UK database of potential blood stem cell donors, you will receive essential communications related to the operation of the UK stem cell register, including

  • information about the process or regulation of blood stem cell donation, and any changes to that process or regulation
  • an annual letter/email from us, asking you to confirm your up-to-date contact details and to inform us of any personal information changes necessary to being part of our database and the register.

7.2. We believe it is important for us to remain in contact with you, particularly if you are a registered blood stem cell donor, for the following reasons. The communication specified under para 7.1 is directly linked to successful donations.

When someone registers as a potential blood stem cell donor, it could be many years before they are called upon as a donor, which means there is a risk of this person forgetting about their commitment. Therefore, we keep in contact with our donors to remind them of their registration and provide the news and information needed to increase the likelihood they are ready, available and contactable if they are called upon as a match for a patient.

In the event of a stem cell donation, it is essential that the potential donor is available, as time is of the essence for the affected patient. This minimum level of contact, therefore, increases the possibility of giving someone a second chance of life.

7.3. Provided you have given your consent, in addition to the information specified under item 7.1, you may also receive promotional emails and mailings that contain general information regarding our activities.

If, in addition to your consent to register as a stem cell donor, you have given us your consent to receive regular messages by e-mail, we will also process your personal data beyond the purposes listed in section 7.2 for sending information about the activities of DKMS and appeals for donations as well as for promotional surveys and market research. We process your data for the above purposes on the basis of the following legal bases:

- Your consent pursuant to Art. 6 para. 1 subpara. 1 lit. a UK GDPR,

- to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f UK GDPR; our legitimate interest is based on our interest in encouraging as many stem cell donors as possible to register in order to save the lives of as many cancer patients as possible. In order to improve and optimize our vital work, we would like to better understand what it means for you to be registered with DKMS and what information you are interested in about stem cell donation.

We are supported in the processing by service providers (e.g. market research companies, IT service providers) who are given access to your relevant data in this context. The processors have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored. We conclude a so-called order processing contract with order processors in accordance with Art. 28 UK GDPR, according to which they also undertake to comply with data protection. It is not possible to send these e-mails without providing your e-mail address. The data for this will be processed and stored until you withdraw your consent to this processing.

You can revoke your consent at any time with effect for the future.

If you no longer wish to receive these e-mails in the future, you can revoke this service at any time and without giving reasons with effect for the future., in particular by sending us an e-mail with the subject “NONEWS” to nonews@dkms.org.uk or using the contact data in the imprint.

8. What rights do I have?

8.1. You have the following rights with regard to your personal data that we process:

  • Right to information
  • Right to correction or deletion
  • Right to restriction of processing
  • Right to object to processing
  • Right to data portability.

8.2. If you have given your consent for us to process your personal data, you can revoke this at any time. Once you have revoked this, we will no longer process your personal data. It is possible here to revoke consent for specific purposes such as receiving a newsletter.

8.3. If you wish to exercise your rights described above, please submit your request to:

DKMS Foundation,
Ashburnham House
Castle Row
Horticultural Place
London
W4 4JQ.

or by e-mail to: dataprotection@dkms.org.uk

8.4. You also have the right to lodge a complaint with the Information Commissioner’s Office about the way in which we process your personal data.

Right to object to processing – information pursuant to Article 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Article 6 (1) (f) GDPR (data processing based on “legitimate interest”). If you object, we will longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

9. Storage of IP addresses and cookies

9.1. In addition to the data specified above, we use cookies to make our website available to you. Cookies are small text files that are saved on your hard disk, assigned to the browser that you use, and which supply certain information (see below for details) to the party that set the cookie (in this case, to us). Cookies cannot execute any programs or transfer viruses to your computer. They serve to make the website as a whole more user-friendly and more effective.

9.2

Cookies are stored either temporarily for the duration of the session (session cookies), or permanently (persistent cookies) on your device. Session cookies are automatically deleted after the session ends. Persistent cookies are only deleted when you, the user, delete them or after a period of time has elapsed. Cookies can be stored for us and our website (first-party cookies) as well as by and for third-party companies (third-party cookies). This enables the use of certain services from third-party companies. Cookies have different functions, split into four categories:

  • technically necessary cookies
  • functional cookies
  • analytical cookies
  • advertising/tracking cookies.

Technically necessary cookies are required for the function of our website. Functional cookies facilitate the use of our website and improve its functions. Analytical cookies are used to collect information about your usage behaviour in order to make the website even better for you. Advertising/tracking cookies are used to provide you with interest-based advertising.

View and edit your cookie settings for our website:

9.3 Cookies are stored on your device and transmitted from it to us or third-party companies. As the user, you have full control over the use of cookies on your device. You can prevent cookies from being stored on your device by making the appropriate settings in the internet browser you are using. Cookies already stored can be deleted at any time. If our website cookies are deactivated and/or deleted, it may no longer be possible to use all functions of the website without restriction.

9.4. We use “local storage” and “session storage” as alternatives to cookies that are integrated in the browser. The web storage stores the data securely in the user’s browser and does not transmit it unencrypted over the internet.

9.4.1. Local storage: The scope includes all browser windows/tabs and is cleared only by JavaScript or with the browser cache.

9.4.2. Session storage: The scope includes an individual browser window/tab and is automatically cleared when the browser window is closed.

9.5. To manage the storage of information in your equipment, such as cookies, or access to information already stored in your equipment, we use the consent management tool:

Piwik PRO Analytics Suite ("Piwik PRO") of the company Piwik PRO GmbH, Lina-Bommer-Weg 6, 51149 Cologne, Germany.

The consent management tool includes the "pop-up" element of a graphical user interface, to request privacy settings. When you first visit our site, we use the pop-up, "Privacy settings“ to actively ask for your permission, to collect analytical data about your user behaviour. You can also use the pop-up "Privacy settings" to decide for yourself whether external content is displayed on our site.

In the footer of our website, the consent to cookies, analytics, tag manager, social embeds and YouTube can be viewed, activated and deactivated at any time. The individual uses can be specifically enabled and disabled. All of the following points are dependent on the user granting this consent. If no consent is granted in the privacy settings pop-up or revoked via the privacy settings link in the footer, only cookies that save this block decision are set.

Piwik Pro may use the following cookies, whose category, purpose, domain and storage period are indicated below, as exemplified by the Provider.

Name: _pk_id.<appID>.<domainHash>.
Category: First Party
Purpose: Used to recognise visitors and record their various attributes.
Domain: dkms.org.uk
Storage period: 13 months for non-anonymous visitors

30 minutes for anonymous visitors if 30 minutes cookie option is enabledName: _pk_ses.<appID>.<domainHash>
Category: First Party
Purpose: Indicates the visitor's active session. If the cookie does not exist, it means that the session ended more than 30 minutes ago and was counted in the _pk_id cookie.
Storage duration: 30 minutes

Name: ppms_privacy_<appID>
Category: First-party
Purpose: Stores visitor's consent to data collection and use.
Domain: dkms.org.uk
Storage period: 12 months

Name: stg_traffic_source_priority
Category: First Party
Purpose: Stores the type of source from which the visitor came to your website.
Domain: dkms.org.uk
Storage time: 30 minutes

Name: stg_last_interaction
Category: First Party
Purpose: Indicates whether the last visitor's session is still running or a new session has started.
Domain: First Party
Storage period: 365 days

Name: stg_returning_visitor
Category First Party
Purpose: Indicates whether the visitor has been to the site before - a returning visitor.

Domain: dkms.org.uk
Storage period: 365 days

Name: stg_fired__<conditionID>
Category: First Party
Purpose: Indicates whether the tag and trigger combination was triggered during the current visitor session. This cookie can be set multiple times with different condition IDs.
Domain: dkms.org.uk
Storage duration: Until the end of the session

Name: stg_utm_campaign
Category: First Party
Purpose: Stores the name of the campaign that brought the visitor to your website.
Domain: dkms.org.uk
Duration of storage: Until the end of the session

Name: stg_pk_campaign
Category: First Party
Purpose: Stores the name of the campaign that led the visitor to your website.
Domain: dkms.org.uk
Storage duration: Until the end of the session

Name: stg_externalReferrer
Category: First Party
Purpose: Stores the URL of the website that referred the visitor to your website.
Domain: dkms.org.uk
Storage duration: Until the end of the session

Name: _stg_optout
Category: First Party
Purpose: Helps to disable all tracking tags on your website.
Domain: dkms.org.uk
Storage period: 365 days
Name: _pk_cvar.<appID>.<domainHash> (deprecated).

Category: First Party
Purpose: Stores a custom variable that is part of the visit scope.
Domain: dkms.org.uk
Storage duration: 30 minutes

The legal basis for the use of technically necessary cookies is Section 25 (2) No. 2 TTDSG.

The processing of data through the use of this cookie takes place in order to obtain the legally required consent for the use of cookies and data processing (Art. 6 para. 1 lit. c) DS-GVO).

The data will be deleted by us as soon as it is no longer required for documentation purposes, you request us to delete it or delete the cookie yourself.

The legal basis for the use of technically necessary cookies is Section 25 (2) No. 2 TTDSG.

The processing of data through the use of this cookie takes place in order to obtain the legally required consent for the use of cookies and data processing (Art. 6 para. 1 lit. c) DS-GVO).

The data will be deleted by us as soon as it is no longer required for documentation purposes, you request us to delete it or delete the cookie itself.

For more information about PiWik PRO's privacy policy, please visit: https://piwikpro.de/datenschutz/

When you access our website, the Consent Management Tool will set cookies on your equipment in order to obtain your decision made to store information in your equipment or to access information already stored in the equipment (Section 25 (1) Sentence 1 TTDSG) and to obtain your decision made regarding consent to the processing of your personal data (Art. 6 (1) lit. a DS-GVO) and to document this in accordance with data protection law.

10. Processing of your user data by web analysis tools and online marketing services

10.1 Meta Conversions-API

We use the marketing and analytics service Meta Conversions-API Gateway ("Meta C-API Gateway") of the company Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland on our website.

Meta C-API Gateway is a server-side event tracking tool to analyses the behaviour of website visitors, serve personalised ads to Meta Facebook users and so determine the success of an advertising campaign. This service is inserted on the server side of the web servers, with which the events to be tracked are transmitted to Meta for evaluation by means of Meta pixels implemented in your browser and via a programming interface (Application Programming Interfaces or API for short) the user behaviour.

When you visit our website, extensive personal data is processed via this service. Information stored on your device is accessed and the IP address, a user ID, the browser ID, the advertising ID, the click ID and a product ID are processed. If you have a Meta Facebook account and visit our website with this account, the e-mail address, telephone number, name, gender, birthday, city, post code, state and country, Facebook ID are also processed, where you have added this data to your account or it is held. If you are logged in to Meta Facebook, this information is also assigned to your user account; you can prevent this by logging out beforehand.

This Meta Service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The parent company Meta Platforms Inc. is located at 1 Hacker Way, Menlo Park, CA 94025, USA. According to Meta, the collected data is also transferred to the parent company in the USA. In the case of the USA, the EU Commission has decided that there is an adequate level of data protection within the meaning of the GDPR. An adequacy decision according to Art. 45 DS-GVO exists (EU-U.S. Data Privacy Framework), as far as the service-providing U.S. company is certified and is therefore on the "Data Privacy Framework List" (or in short: DPF List). Meta Platforms Inc. has been included in the DPF List as a certified company.

You can adjust your advertising settings independently in your Meta Facebook account settings by clicking on the following link and logging in: https://www.facebook.com/settings?tab=ads.

For the use of the Facebook service, the privacy policy and terms of use apply. You can view these at https://de-de.facebook.com/about/privacy and https://www.facebook.com/legal/terms.

We delete the data as soon as it is no longer needed for statistical purposes, and, at the latest, after 180 days.

The provision of your data for Meta C-API is neither legally nor contractually required and is not necessary for the conclusion of a contract.

10.2 Meta Pixel

Meta Pixel is a marketing service to analyses the behaviour of visitors to the website, serve personalised ads to Meta users and thus determine the success of an advertising campaign. This service is inserted through a script that implements the analysis and with which Meta can track your user behaviour, if you have arrived at our website through Meta Facebook Ads. When you visit our website, a direct connection is established to Meta's servers and information about your user behaviour is transmitted.

In this context, we have activated the advanced data matching function, or automatic advanced matching. This involves the additional processing of additional data - e-mail address as hash value, personal data, address and/or telephone number - provided that you have made this data available to us as part of your membership account. This gives us the opportunity to adapt our advertising campaigns even more specifically to our interested customers. If you are logged in to Meta Facebook, this information is also assigned to your user account; you can prevent this by logging out beforehand.

Meta Pixel may use the following cookies, whose category, purpose, domain and storage period are indicated below, as described by the Provider by way of example.

Name: _fbp
Category: Third Party
Purpose: This cookie is set by Meta to display advertisements after visiting the website when it is either on Meta Platforms or on a digital platform operated by Meta Advertising.
Domain: dkms.org.uk
Storage period: 3 months

The legal basis for the use of technically necessary cookies is § 25 para. 2 no. 2 TTDSG.

The legal basis for the use of tracking / marketing or analytical cookies is your consent in accordance with Section 25 (1) TTDSG.

The processing of personal data is based on your consent (Art. 6 para. 1 lit. a) DS-GVO).

This meta service is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The parent company Meta Platforms Inc. is located at 1 Hacker Way, Menlo Park, CA 94025, USA. According to Meta, the collected data is also transferred to the parent company in the USA. In the case of the USA, the EU Commission has decided that there is an adequate level of data protection within the meaning of the GDPR. An adequacy decision according to Art. 45 DS-GVO exists (EU-U.S. Data Privacy Framework), as far as the service-providing U.S. company is certified and is therefore on the "Data Privacy Framework List" (or in short: DPF List). Meta Platforms Inc. has been included in the DPF List as a certified company.

You can adjust your advertising settings independently in your Meta Facebook account settings by clicking on the following link and logging in: https://www.facebook.com/settings?tab=ads.

For the use of the Facebook service, the privacy policy and terms of use apply, which you can view at https://de-de.facebook.com/about/privacy andhttps://www.facebook.com/legal/terms.

We delete the data as soon as it is no longer needed for statistical purposes, and, at the latest, after 180 days.

The provision of your data for Meta Pixel is neither legally nor contractually required and is not necessary

10.3. Each permission can be activated and deactivated individually. All of the following points are dependent on the user granting this consent. If no consent is given in the “privacy settings” pop-up or revoked via the “consent management” link in the footer, only cookies that store this block decision are set. The use of the consent management tool is based on our legitimate interest in a responsive design of our website, according to Article 6 (1) f GDPR. For more information, please see Piwik PRO’s privacy policy.

10.4. As mentioned in para 10.1, we use the analysis program Piwik PRO Analytics Suite, the software for which is used to collect data that enables us to tailor the design of our website to user requirements and to statistically evaluate the flow of visitors for marketing and optimisation purposes. Pseudonymous usage profiles are also created in this context. Cookies are used for these purposes, which are stored on your computer and which enable a pseudonymous analysis of your use of our website. The IP address is immediately truncated after collection and prior to storage. Piwik PRO Marketing Suite Cloud is hosted on Microsoft Azure in Germany.

10.5. Piwik PRO always analyses the use of our website in anonymised form. If the user consents to Analytics, the analysis of the use of our website is aggregated pseudonymously. This makes it possible, for example, to identify returning users and perform more precise analyses.

10.6. You can specify in the “privacy settings” pop-up and subsequently in the footer via the “consent management” link whether you consent to us using Piwik PRO in the manner described. If you choose not to do so, a Piwik PRO deactivation cookie will be deposited on your end device (“opt-out” cookie). Please note that your browser must accept cookies in order for this cookie to be deposited. If you delete the deactivation cookie, you may have to opt-out again.

10.7. If corresponding consent has been given, the processing is based exclusively on “consent” under Article 6 (1) (a) GDPR. For more information, please see Piwik PRO’s privacy policy.

Piwik Tag Manager

10.8. We also use Piwik PRO Tag Manager on our website. This service allows website tags to be managed via an interface. Piwik PRO Tag Manager does not set any cookies, only tags, and does not collect any personal data. The service triggers other tags, which in turn may collect data. A tag is only triggered if the user has consented to this beforehand. If the user does not grant specific permissions in the “privacy settings” pop-up, the corresponding tags will not be triggered. Tags that do not process personal data are always loaded. However, Piwik PRO Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it will apply to all analysis tags implemented with Piwik PRO Tag Manager. For more information, please see Piwik PRO privacy policy.

AddSearch search function

10.9. The results from the search box on our website are made available by the web service of AddSearch Oy, Töölönkatu 4, FI-00100 Helsinki, Finland (“AddSearch”). When you actively use the search box on our website, a data transfer to AddSearch takes place. Only the search terms you enter and your IP address are transmitted.

10.10. In the context of the use of AddSearch, AddSearch uses “Amazon Web Services (AWS)”, based in the USA, as an order processor. Accordingly, some data processing may also take place outside the EU or the EEA. To the extent that AWS thereby transfers your personal data to the USA, we will take precautions to protect your personal data in the best possible way, among other things by using standard contractual clauses from the EU Commission (under Article 46 (2) (c) GDPR). For more information about standard contractual clauses regarding the transfer of personal data to processors outside the EU or EEA, please visit the European Commission’s page on Standard Contractual Clauses.

10.11. The transfer of your personal data for these purposes is based on our legitimate interest in providing you with the search function, pursuant to Article (1) (f) GDPR. Information is not transmitted until at least three characters have been entered in the search. No data will be sent to AddSearch prior to this. For information, please see AddSearch’s privacy policy.

Amazon Web Services: Hosting

10.12. For hosting the database and web content on our website, we use the Amazon Web Services (“AWS”) service provided by Amazon Web Services, Inc. Box 81226, Seattle, WA 98108-1226, USA. The data is stored exclusively in a German data centre (Frankfurt/Main), which is certified according to ISO 27001, 27017 and 2018, as well as PCI DSS Level 1. We only have strictly limited access rights and the data is automatically encrypted.

10.13. For technical reasons, infrastructure maintenance may be carried out by AWS subcontractors from the USA. Accordingly, some data processing may also take place outside the EU or the EEA. To the extent that AWS thereby transfers your personal data to the USA, we will take precautions to protect your personal data in the best possible way, among other things by using standard contractual clauses of the EU Commission (Article 46 (2) (c) GDPR). For more information about standard contractual clauses for the transfer of personal data to processors outside the EU or EEA, please visit the European Commission’s page on Standard Contractual Clauses.

10.14. The transmission of your personal data for these purposes is based on our legitimate interest in being able to provide you with the technical infrastructure of our website, in particular web servers, databases and the sending of emails, pursuant to Article 6 (1) (f) GDPR. For more information about AWS and privacy, please see AWS Privacy Notice and their page on GDPR compliance when using AWS services.

Amazon CloudFront

10.15. As part of the web hosting with AWS, we use technologies provided by AWS or by the Amazon CloudFront content delivery network (“CDN”). A CDN makes extensive media files available via a regionally distributed server network in order to conserve its own server resources. Before the website loads in your web browser, we use Amazon CloudFront to build SSL encryption to the website and to build other security features to protect against harmful influences from the World Wide Web.

10.16. Amazon CloudFront relies on JavaScript code, so you can prevent it from running altogether by disabling JavaScript in your browser settings or installing a JavaScript blocker. Please note that our website may then not be displayed correctly. During this process, your IP address and other data are transmitted to Amazon CloudFront. The legal basis for this is our “legitimate interest” in ensuring the accessibility of our website, Article 6 (1) (f) GDPR. For more information, please refer to the AWS Privacy Notice. To prevent the execution of the Amazon CloudFront – Content Delivery Network (CDN) JavaScript code altogether, you can install a JavaScript blocker.

Amazon Smile

10.17. If you access Amazon Smile via a link on our website, shop at Amazon Smile and select DKMS as your organisation, we will receive 0.5% of your purchase amount as a donation. There are no additional costs involved, as the donation is made directly from Amazon to DKMS Foundation. After you leave our website and go to Amazon Smile, we do not receive or process any personal data about you. For more information about Amazon’s use of data, please see Amazon’s Privacy Notice.

Meta Conversion API

10.18. We use the Meta Conversion API, a server-side event tracking tool, on our website.

Personal data
Usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (information about the geographical position of a device or person). Extended data processing: email address, phone number, gender, date of birth, first and last name, address, user IDs.

Purpose of data processing
This is a data interface through which we transmit data about your behaviour on our website to Facebook for evaluation. This enables us to show you advertisements that match your user behaviour on our website.

Recipients
We do not pass on your data to third parties. In the area of the Facebook conversion API, however, we work together with Facebook, which compiles user statistics together with us. In the process, data is also processed in the USA. We use the standard contractual clauses approved by the EU Commission as the basis for this data processing.

Provider
Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; https://www.facebook.com/policy.php; further information on data

Purpose of data processing
Meta Conversion API

Details/information on data protection
https://www.facebook.com/about/privacy
https://www.facebook.com/settings?tab=ads

Duration of data storage
You can revoke your consent for data processing by Conversion API for our web domain at any time with future effect by adjusting your preferences in our consent settings. To do so, simply deselect the "Marketing" section.

Legal basis
Art. 6 para. 1 a) DSGVO (GDPR)

Provision prescribed or required
The provision of the aforementioned personal data is not required by law or contract.

11. What social media plug-ins do we use?

11.1. We use social media plug-ins from various social networks on our website. If you access a specific page on our website that contains such a plug-in, your browser establishes a direct connection with the servers of the social networks after you have given your permission in the “privacy settings” pop-up to display external content on our site. The content of the plug-in is transmitted directly to your browser by the social networks and integrated into the website by the browser. By making a selection in the “privacy settings” pop-up, you decide which external content is displayed on our website and you can change this setting at any time by clicking on the “consent management” link in the website footer.

11.2. The integration of the plug-ins informs the social networks that you have accessed the corresponding page on our website. If you are logged in to one or more social networks, the social networks in question can assign the visit to your account. If you interact with the plug-ins, for example by clicking the “Like” button or sending a tweet, the corresponding information is transmitted from your browser directly to, eg, Facebook and Twitter and stored there.

11.3. We are not responsible for the services of third-party providers whose offers are linked on our website, such as Twitter or Facebook. These third-party providers are not able to associate the IP addresses with other personal data collected via the DKMS website. More information on data collection by third-party providers can be found on the respective websites of these providers.

11.4. We are currently using the following social media plug-ins: Facebook, Twitter and Instagram. We make it possible for you to communicate directly with the provider of the plug-in via the corresponding social media share button. The plug-in provider is only notified that you have accessed the corresponding page of our website if you click on the highlighted field and thereby activate it. The data mentioned in para 2.1 of this Privacy Policy will also be transmitted. In the case of Facebook, the IP address is anonymised immediately in the UK after it has been recorded, according to the respective provider. By activating the plug-in, your personal data is transmitted to the respective plug-in provider and stored there (in the case of US providers, in the USA). Since the plug-in provider collects data in particular via cookies, we recommend that you delete all cookies via your browser’s security settings before clicking on the greyed-out box. Please also note the following in relation to social media plug-ins:

11.4.1. We have no control over the data collected and data processing operations, nor are we aware of the full extent of the data collection, the purposes of the processing or the retention periods. We also have no information on the deletion of the collected data by the plug-in provider.

11.4.2. The plug-in provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research and/or the customised design of its website. Such analysis is carried out in particular (even for users who are not logged in) to provide targeted advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. The legal basis for the use of the plug-ins is our legitimate interest in giving you the opportunity to interact with the social networks and other users so that we can improve our offer and make it more interesting for you as a user, Article 6 (1) (f) GDPR.

11.4.3. The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the plug-in provider, the data we collect is directly associated with your account at the plug-in provider. If you click the activated button and link to the page, for example, the plug-in provider also stores this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this prevents association with your profile at the plug-in provider.

11.4.4. Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the privacy policies of these providers disclosed below. There you will also find further information about your respective rights and privacy settings. 11.4.5. Addresses of the respective plug-in providers and links to their privacy policies:

  • Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA: Data Policy.
  • Twitter Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA: Privacy Policy.
  • Instagram: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland: Privacy Policy.

12. How are YouTube videos integrated?

12.1. We have integrated YouTube videos into our website, which are stored on the YouTube page of DKMS and can be played back directly on our website. YouTube is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

12.2. By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our website. The data mentioned in para 2.1 of this Privacy Policy will also be transmitted. This occurs regardless of whether you have a YouTube user account that you are logged in to or not. If you are logged in to Google, your data is directly assigned to your account. If you do not want data to be assigned to your YouTube profile, you have to log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the customised design of its website. Such analysis is carried out in particular (even for users who are not logged in) to provide targeted advertising and to inform other users of the social network about your activities on our website. You have the right to object to the processing of your personal data, whereby you must direct the objection to YouTube and Google.

12.3. By integrating YouTube, we improve our offer and can make it more interesting for you as a user. The legal basis for the integration is our legitimate interest according to Article 6 (1) (f) GDPR.

12.4. For more information on the purpose and scope of data collection and processing by YouTube, please see Google’s Privacy Policy. There you will also find further information on your rights and setting options to protect your privacy. Please note that we have no control over how and for how long YouTube and Google retain this data. Google’s Privacy Policy provides information about the collection, processing and use of personal data by YouTube and Google.

13. Google Ads (formerly Adwords) and Conversion Tracking

We use Google Ads and Conversion Tracking of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter "Google"). In case of your consent, if you click on a Google ad, a cookie will be set on your computer. These cookies lose their validity after 30 days, do not contain any personal data and are not used for personal identification. If you visit certain pages of our website and the cookie has not yet expired, Google and we can recognize that you clicked on the ad and were redirected to that page. Each Google Ads customer receives a different cookie. Thus, the cookies cannot be tracked across Google Ads customers' websites.
The information obtained using the cookie is used to create conversion statistics for Adwords customers who have opted in to Google Ads and conversion tracking. The Adwords customers learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive information that personally identifies users.

Order processing:
The legal basis for the use of marketing cookies is Art. 6 (1) a) or Art. 49 (1) a) DSGVO in conjunction with your consent.

Revocation: You can revoke your consent to the use of marketing cookies and smart pixels at any time with effect for the future. You can find the link to the consent settings in the footer.

Objection to data processing: You can also prevent the cookie from being set by adjusting your browser software settings. In addition, you can deactivate the use of cookies by Google by following the link below and installing the plug-in provided there www.google.com/settings/ads/plugin or by deactivating Google Conversion Tracking at https://www.google.com/settings/ads/onweb/?hl=de.

More information about Google Ads (formerly AdWords) and Conversion Tracking as well as Google's privacy policy can be found at: https://www.google.com/privacy/ads.

14. Questions and comments

If you have any questions regarding this Website Privacy Notice, please contact our data protection officer at dataprotection@dkms.org.uk.