Data Protection & Privacy

Privacy notice

In this privacy notice we inform you about the processing of your personal data when you use our website (https://www.go4bsb.de) or our app (hereinafter referred to collectively as the “Service”).

Contents of this privacy notice
1.   Data controller and contact
2.   Data processing in our Service
2.1   Connection data
2.2   Contact
2.3   Registration
2.4   Optional data and interaction with the platform
2.5   Preferences
2.6   Use of media
3.   Use of tools
3.1   Technologies used
3.2   Legal basis
3.3   Necessary tools
4.   Disclosure of data
5.   Data transfers to third countries
6.   Storage period
7.   Your rights, in particular withdrawal and objection
8.   Changes to this privacy notice

1. Data controller and contact

With regard to the processing of your personal data, the following bodies/institutions are contact points and so-called joint controllers (Art. 26 GDPR):

Bernhard Nocht Institute for Tropical Medicine (“BNITM”)
Bernhard-Nocht-Straße 74
20359 Hamburg, Germany
Email: info@go4bsb.de

Robert Koch Institute („RKI“)
Nordufer 20
13353 Berlin, Germany
Email: Datenschutz@rki.de

Bundeswehr Institute of Microbiology (“IMB”)
Neuherbergstraße 11
80937 Munich, Germany
Email: institutfuermikrobiologie@bundeswehr.org

Friedrich-Loeffler-Institut („FLI“)
Südufer 10
17493 Greifswald – Insel Riems, Germany
Email: datenschutz@fli.de

Gesellschaft für Internationale Zusammenarbeit GmbH („GIZ“)
Registered offices: Bonn and Eschborn
Friedrich-Ebert-Allee 32 + 36
53113 Bonn, Germany
Dag-Hammarskjöld-Weg 1 - 5
65760 Eschborn, Germany
Email: datenschutzbeauftragter@giz.de

If you have any questions about data protection in connection with using our Service, you can also contact our data protection officers at any time, with the BNITM acting as the central point of contact. Alternatively, you can contact one of the GO4BSB consortium partners directly. We expressly point out that emails sent to the above addresses will not be read solely by the data protection officers. If you wish to share confidential information, please first use the email address to request direct contact.

2. Data processing in our Service

2.1 Connection data

Every time you use our Service, we process connection data automatically transmitted by your device in order to enable you to visit our Service. This connection data comprises what is known as HTTP header information, including the user agent, and includes in particular:

IP address of the requesting device;
Method (e.g. GET, POST), date and time of the request;
Address and path of the requested file;
If applicable, the previously visited file (HTTP referer);
Information about the browser used or the app and the operating system;
Version of the HTTP protocol, HTTP status code, size of the file delivered;
Request information such as language, type of content, coding of content, character sets;
On our website: cookies stored on the device of the domain accessed.

It is absolutely necessary to process this connection data to enable the use of our Service, to guarantee the long-term functionality and security of our systems, and for the general administrative maintenance of our Service. The connection data is also stored in internal log files for the purposes described above, temporarily and limited to the absolute minimum, in order for example to find the cause of and take action against repeated or criminal requests that endanger the stability and security of our Service.
It is necessary to process this data to enable the use of our Service and to guarantee the long-term functionality and security of our systems. The legal basis is Art. 6(1) Sentence 1(b) GDPR.

2.2 Contact

There are a number of ways for you to contact us, for example by email. In this context we process your data exclusively for the purpose of communicating with you.
The legal basis for this processing is Art. 6(1) Sentence 1(b) GDPR, insofar as your information is required to respond to your enquiry or to initiate or perform a contract. In addition, we base the data processing on Art. 6(1) Sentence 1(e) GDPR in conjunction with Sect. 3 of the German Federal Data Protection Act (BDSG), insofar as the data processing is necessary for the performance of a task within our competence or in the exercise of official authority; this includes in particular the provision of information to the public. With regard to the GIZ, data processing may also be based on Art. 6(1) Sentence 1(f) GDPR, due to the legitimate interest in being able to respond to your enquiry after you make contact.

2.3 Registration

In order to use the full functionality of our Service, you can register an account for our login area. In particular, the following information must be provided as part of the registration process:

Login name;
Password;
Email address;
First and last name;
Project affiliation;
Contact person;
Email address of the contact person;
Read status of the privacy notice.

The legal basis for the processing of the data required for registration (mandatory fields) is Art. 6(1) Sentence 1(b) GDPR.

2.4 Optional data and interaction with the platform

When you use our Service, we integrate the Moodle platform. In addition to the information required during registration, you can provide additional optional information that is voluntary. This is in particular:

Profile information (description, other names, personal interests, photo, city and country, gender identity);
Contact information (phone, address, Skype, Yahoo, website);
Professional information (institution, department).

You can change or delete the optional information at any time. To do this, first click on your profile, then on “Preferences” and “Edit profile”.
In addition, you may voluntarily send messages, create posts, make comments, rate courses and otherwise interact on this platform. We process the data generated in this context in order to enable the full use of the platform.

The legal basis for this processing is Art. 6(1) Sentence 1(a) GDPR, your voluntary consent, which you give by using the respective optional features and by filling in the optional information. You can withdraw this consent at any time by deleting your optional details. Alternatively, you can also delete your account.

2.5 Preferences

In the preferences, you can adjust the visibility of your current or future data. This concerns the following settings in particular:

Visibility of email address;
Default visibility of the content bank.

In addition, you can select, for example, who can send you personal messages and which system messages are sent by email. To adjust the preferences, first click on your profile and then on “Preferences”.

2.6 Use of media

Media is either uploaded directly via the platform or, in the case of external media, linked. Direct integration of external media is not planned.

3. Use of tools

3.1 Technologies used

Our Service may use tools provided either by us or by third parties. This includes, for example, tools that use technology to store or access information on the device:
Only on the website:

Cookies: Information stored on the device, consisting in particular of a name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the specified expiry date. Cookies can also be removed manually.
Web storage (local/session storage): Information stored on the device, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and basically remains stored unless a mechanism for erasure has been set up (e.g. storage of local storage with time entry). Information in the local and session storage can also be removed manually.

Only in the app:

Software development kits (SDKs): A package of various development tools for creating programs in a particular programming language and for a particular operating system, which also uses application programming interfaces (APIs) to integrate other software.

On the website and in the app:

JavaScript: Programming codes (scripts) embedded or retrieved in the website or app that, for example, set cookies and web storage or actively collect information from the device or about the usage behaviour of the visitor. JavaScript can be used for “active fingerprinting” and usage profiling where appropriate. JavaScript can be blocked by changing your browser settings, but this will prevent most services from working.
Pixel: Tiny graphic loaded on a website or app that can make it possible to recognise visitors by automatically transmitting the usual connection data (in particular IP address, information about the browser or app, operating system, language, address retrieved and time of retrieval) and to determine, for example, whether an email has been opened or a website or app has been visited. Pixels can sometimes be used to carry out “passive fingerprinting” and create usage profiles. The use of pixels can be prevented, for example, by blocking images in emails, although this severely limits what can be displayed.

These technologies, as well as the mere establishment of a connection when using our Service, can create so-called fingerprints, i.e. usage profiles that can be used to identify visitors. Manually preventing fingerprints from being created when a connection is made is not fully possible.

On websites: most browsers are set by default to accept cookies, run scripts and display graphics. However, you can usually adjust your browser settings in such a way that all or certain cookies are rejected or scripts and graphics are blocked. If you choose to completely disable cookies, graphics and scripts, our Service may not function properly or at all.
In the following, we list the tools we use by category, informing you in particular about the providers of the tools, how long the cookies or information in local and session storage are stored, and data transfers to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can withdraw it.

3.2 Legal basis

Where we use tools that are necessary to run the Service, we do so based on Art. 6(1) Sentence 1(e) GDPR in conjunction with Sect. 3 of the German Federal Data Protection Act (BDSG), insofar as the data processing is necessary for the performance of a task within our competence or in the exercise of official authority; this includes in particular the provision of information to the public. With regard to the GIZ, data processing may also be based on Art. 6(1) Sentence 1(f) GDPR, due to the legitimate interest in providing the basic features of the Service. In certain cases, these tools may also be necessary for the performance of a contract or to take steps prior to entering into a contract, in which case the processing is carried out in accordance with Art. 6(1) Sentence 1(b) GDPR. In these cases, information is accessed and stored on your device because this is absolutely necessary, and on the basis of the EU Member States’ laws implementing the ePrivacy Directive, which in Germany means according to Sect. 25(2) of the German Telecommunications and Telemedia Data Protection Act (TTDSG).

Where we use other non-essential (optional) tools that provide additional functionality, we do so on the basis of your consent pursuant to Art. 6(1) Sentence 1(a) GDPR. Information is then accessed and stored on your device on the basis of the EU Member States’ laws implementing the ePrivacy Directive, which in Germany means according to Sect. 25(1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG). Data processing using these tools will only take place if we have received your prior consent.
For cases involving the transfer of personal data to third countries (such as the US), we refer you to Section 5 (“Data transfers to third countries”), which also explains the possible associated risks. We will inform you if an adequacy decision exists for the third country in question or if there are standard contractual clauses or other safeguards in place for the use of certain tools. If you have given your consent to the use of certain tools and to the associated transfer of your personal data to third countries, we (also) transfer the data processed when using the tools to third countries on the basis of this consent pursuant to Art. 49(1)(a) GDPR.

3.3 Necessary tools

We use certain tools to enable the basic functionality of our Service (“necessary tools”). These include, for example, tools used to prepare and display the content of our Service, to register and authenticate users, to carry out aggregated reach measurement, to detect and prevent fraud, and to ensure the security of our Service. We would not be able to provide our Service without these tools. Therefore, necessary tools are used without consent.

For the legal basis for necessary tools and information about the possibility of transfers to third countries, please refer to Section 3.2.

3.3.1 Our own tools

We use our own necessary tools that access or store information on the device, in particular

For login authentication (on the website: “MOODLEID1_” (for 2 months) and “MoodleSession” (for the session));
To save your language preferences (on the website: “pll_language” (for 1 year));
To temporarily store the structure and content of the Service (on the website: in local and session storage);
To note that information placed in our Service has been displayed to you – so that it will not be displayed again the next time you visit the Service (on the website: “viewed_cookie_policy”, “CookieLawInfoConsent”, “cookielawinfo-checkbox-necessary” and “cookielawinfo-checkbox-non-necessary” (for 1 year)).

3.3.2 Matomo

Our Service uses Matomo (formerly Piwik), an open-source analytics software solution, for aggregated reach measurement. Matomo is hosted on our web space (on-premise) located in the EU and is configured in a particularly data protection-friendly way. No data is disclosed to third parties. In addition, the website does not store cookies on the device, but only uses JavaScript.

We have made the following data protection settings for Matomo:

IP anonymisation (truncation of the IP address (last two bytes, six characters) before evaluation so that no conclusions can be drawn about your identity);
Processing (in particular geolocalization) and storage of your visit only by means of the anonymised IP address;
On the website: deactivation of cookies;
Automatic deletion of old visitor logs after 90 days;
On the website: accepting the browser’s “Do not track” setting.

The following data may be processed by Matomo:

Anonymised IP address;
Referrer URL (website visited before);
Areas of our Service accessed (date, time, title, time spent; for the website: URL);
Downloaded files;
Clicked links to other services;
Technical information: operating system; app or browser type, version and language; device; type, brand, model and resolution;
Approximate location (country and possibly city, based on anonymised IP address).

You may object to the use of Matomo at any time by activating your browser’s “Do not track” option on the website or by using the opt-out option at the end of this section on Matomo.
For further information, please refer to the data protection information provided by Matomo: https://matomo.org/privacy/

4. Disclosure of data

In principle, we will only disclose the data we have collected if there is a legal basis for this under data protection law in the specific case, in particular if:

You have given explicit consent pursuant to Art. 6(1) Sentence 1(a) GDPR;
Disclosure is necessary pursuant to Art. 6(1) Sentence 1(e) GDPR in conjunction with Sect. 3 German Federal Data Protection Act (BDSG) and, with regard to the GIZ, furthermore under Art. 6(1) Sentence 1(f) GDPR in order to establish, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in your data not being disclosed;
We are legally obliged to disclose data under Art. 6(1) Sentence 1(c) GDPR, in particular if this is necessary for legal prosecution or enforcement due to official requests, court decisions and legal proceedings; or
This is permitted by law and is required under Art. 6(1) Sentence 1(b) GDPR for the processing of contractual relationships with you or for taking steps at your request prior to entering into a contract.

The data processing may be carried out in part by our service providers. In addition to the service providers mentioned in this privacy notice, these providers may in particular include data centres that store our website or app and databases, software providers, IT Service providers that maintain our systems, agencies, market research companies, group companies and consultancies. If we pass data on to our Service providers, they may use the data exclusively for the fulfilment of their tasks. We have carefully selected and commissioned the Service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects and are carefully monitored by us.

5. Data transfers to third countries

Countries outside the European Union or the European Economic Area are so-called third countries whose level of data protection does not correspond to that of the European Union. If your data is transferred to these countries, this constitutes a third-country transfer. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include but are not limited to the standard contractual clauses of the European Union or binding corporate rules.
Where this is not possible, we base the transfer of data on derogations under Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for taking steps prior to entering into a contract.

Where a data transfer to a third country is planned and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the third country in question (e.g. intelligence agencies) may gain access to the transferred data in order to record and analyse it, and that enforceability of your rights as a data subject cannot be guaranteed. You will also be informed of this if we obtain your consent.

6. Storage period

In principle, we only store personal data for as long as necessary to fulfil the purposes for which we have collected the data. We then erase the data without undue delay, unless we still require the data until the end of the statutory limitation period for documentation purposes for claims under civil law, due to statutory retention obligations, or there is another legal basis under data protection law for the continued processing of your data in the specific individual case.

For documentation purposes, we are required to keep contract data in particular for another three years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.
Even after that, we are still required to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations, which may arise on the basis of the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Anti-Money Laundering Act and the German Securities Trading Act. The periods specified therein for retaining documents range from two to ten years.

7. Your rights, in particular withdrawal and objection

You have the following rights under data protection law, with the BNITM acting as the central point of contact. Please contact info@go4bsb.de to exercise your rights. Alternatively, you can contact one of the GO4BSB consortium partners directly.
As a data subject, you always have the following rights as set out in Art. 7(3), Art. 15–21, and Art. 77 GDPR, if the respective legal requirements are met:

Right to withdraw your consent (Art. 7(3) GDPR);
Right to object to the processing of your personal data (Art. 21 GDPR in conjunction with Sect. 36 German Federal Data Protection Act (BDSG));
Right of access to personal data concerning you which we process (Art. 15 GDPR);
Right to rectification of inaccurate personal data concerning you which we have stored (Art. 16 GDPR);
Right to erasure of your personal data (Art. 17 GDPR);
Right to restriction of the processing of your personal data (Art. 18 GDPR);
Right to data portability (Art. 20 GDPR);
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

In order to establish your rights described here, you can contact us at any time using the contact details provided. This also applies if you wish to receive copies of safeguards in order to prove an adequate level of data protection. Subject to the respective legal requirements, we will comply with your data protection request.
We will keep your enquiries regarding the establishment of rights under data protection law, and our responses to these, for a period of up to three years for documentation purposes and, where necessary in individual cases, beyond this period if we need to establish, exercise or defend legal claims. The legal basis is Art. 6(1) Sentence 1(e) GDPR in conjunction with Sect. 3 German Federal Data Protection Act (BDSG) and, with regard to the GIZ, furthermore Art. 6(1) Sentence 1(f) GDPR, based on our interest in defending ourselves against any civil-law claims under Art. 82 GDPR, and fulfilling our accountability under Art. 5 Sentence 2 GDPR.

You have the right to withdraw your consent at any time. As a result of this, we will cease the data processing based on this consent with future effect. This withdrawal of your consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If your objection is to data processing for direct marketing purposes, you have a general right of objection, which we will implement without requiring you to give reasons.
If you would like to make use of your right of withdrawal or objection, it is sufficient to simply notify us using the contact details provided above.
Finally, you have the right to lodge a complaint with a data protection supervisory authority. You can assert this right, for example, by contacting a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement. You will find the competent supervisory authority in Section 1 (“Data controller and contact”).

8. Changes to this privacy notice

We will update this privacy notice from time to time, for example if we adapt our Service or if there are changes to the legal or regulatory requirements.