Data Protection

I. Name and Address of the Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

Generalate of the Hospital Sisters of the Third Order Regular of St. Francis e.V.
St. Mauritz-Freiheit 44
48145 Münster 
Germany 
Phone: +49 (0)251.9337-614 
Email: info@hsosf.de 
Website: www.generalat-hsosf.de

Name and Address of the Data Protection Officer

We have appointed an external Data Protection Officer. Our external Data Protection Officer is:

Frank Kunz
Amselweg 14a
46359 Heiden
Germany 
Email: datenschutz@hsosf.de

II. General Information on Data Processing

Scope of Processing of Personal Data

We generally process personal data of our users only to the extent necessary to provide a functional website as well as our content and services. Therefore, the processing of personal data of our users is carried out because the processing of the data is permitted by legal regulations.

2. Legal Basis for the Processing of Personal Data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual measures.

If the processing of personal data is necessary to fulfill a legal obligation to which our organization is subject, Article 6(1)(c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person make the processing of personal data necessary, Article 6(1)(d) GDPR serves as the legal basis.

If processing is necessary to protect a legitimate interest of our organization or a third party, and the interests, fundamental rights, and freedoms of the data subject do not outweigh the first-mentioned interest, Article 6(1)(f) GDPR serves as the legal basis for the processing.

3. Data Deletion and Storage Duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this is provided for by European or national legislators in EU regulations, laws, or other provisions to which the data controller is subject. Blocking or deletion of the data will also occur if a storage period prescribed by the aforementioned standards expires unless there is a necessity for further storage of the data for the conclusion or fulfillment of a contract.

III. Provision of the Website and Creation of Log Files

Hosting of the Website

To provide our website, we have contracted an external host, Mittwald CM Service GmbH & Co. KG (hereinafter referred to as the contractor).

Contact Details of the Contractor

Mittwald CM Service GmbH & Co. KG
Königsberger Straße 4-6
32339 Espelkamp
Germany 

Website: https://www.mittwald.de 
Phone: +49-5772-293-100 
Fax: +49-5772-293-333 
HRA: 6640 AG Bad Oeynhausen 
VAT ID No: DE814773217

General Partner: Robert Meyer Verwaltungs GmbH AG Bad Oeynhausen HRB 13260 
Represented by the Managing Directors: Robert Meyer, Florian Jürgens

b. Subject of the Contract

The contract we have awarded to the contractor in this context includes the following tasks and/or services:

– Hosting of server systems and applications operated there (database, backup, web server, SAN environment)

– Technical administration of the IT systems required for hosting

– Other support activities for all server systems

c. Conclusion of a Data Processing Agreement

In the course of providing services, access to personal data by the contractor cannot be excluded.

For this reason, we have concluded a data processing agreement (DPA) with the contractor in accordance with Article 28 GDPR, which, among other things, specifies the type and purposes of the processing of personal data.

The processing of personal data not related to the provision of hosting services is prohibited for the contractor.

d. Legal Basis for the Processing of Personal Data

We have decided not to operate our own web server but to contract an external service provider for this purpose. This decision corresponds to our legitimate interest under Article 6(1)(f) GDPR.

2. Location of Data Processing 

The hosting takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country requires our prior approval and may only take place if the special requirements of Articles 44 et seq. GDPR are met.

3. TLS/SSL Encryption 

When accessing our website, we use TLS/SSL encryption. You can recognize encrypted transmission by the prefix “https://” in your browser’s address line. The prefix “http://” (without s) identifies unencrypted connections. This is to ensure that we protect the data you transmit to us as best as possible when you access our website. Please note that not all transmitted data is encrypted. Certain metadata, such as DNS resolution, connection setup, and your IP address, are transmitted unencrypted.

4. Description and Scope of Data Processing

Each time our website is accessed, the contractor’s systems automatically collect data and information from the computer system of the accessing computer.

They log which page views occurred at which time. The following data is collected:

– The IP address of the user

– Date and time of access

– The accessed pages

– Protocols

– Returned status code

– Data volume

– Websites from which the user’s system accessed our website (stored as a referrer)

– Websites that are accessed from the user’s system via our website (stored as a referrer)

– Information about the user’s operating system as well as the browser type and version used (User Agent)

– Accessed hostname

– Any erroneous page accesses

The data is also stored in the log files (access logs) of the systems.

The IP addresses are stored in an anonymized form. For this purpose, the last one to three digits are removed, i.e., “127.0.0.1” becomes “127.0.0.0”. IPv6 addresses are also anonymized.

Erroneous page accesses (so-called error logs) are deleted after seven days. These include the accessing IP address and, depending on the error, the accessed website.

These data are not stored together with other personal data of the user.

5. Legal Basis for Data Processing

The legal basis for the temporary storage of data and access logs is Article 6(1)(f) GDPR.

6. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable the delivery of the website to the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session.

The storage in the access logs is carried out to ensure the functionality of the website. The data also serves to optimize the website technically and to ensure the security of the information technology systems. An evaluation of the data for other purposes (e.g. marketing purposes) does not take place in this context.

These purposes also constitute our legitimate interest in data processing under Article 6(1)(f) GDPR.

7. Duration of Storage

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collection for the provision of the website, this is the case when the respective session ends.

In the case of storage of IP addresses in the access logs, this is the case after a maximum of 60 days. Further storage of the remaining data from the access logs is possible. In this case, the IP addresses of the users are deleted or altered so that a connection to the calling client is no longer possible.

8. Objection and Elimination Possibility

The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Therefore, there is no possibility of objection from the user.

IV. Use of Cookies

Description and Scope of Data Processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is accessed again.

We use cookies to make our website functional. Some elements of our website require that the calling browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:

– Language settings.

We do not use cookies on our website that enable an analysis of the users’ browsing behavior. Only technically necessary cookies are used.

Legal Basis for Data Processing

The legal basis for the processing of personal data using technically necessary cookies pursuant to § 25(2) TTDSG is Article 6(1)(f) GDPR.

2. Purpose of Data Processing

The purpose of using technically necessary cookies is to enable the use of our website for users. We provide our website in German and English languages. The user can set the language preference on our website. The storage of the selected language setting cannot be offered without the use of cookies. For this, it is necessary that the browser is recognized again after a page change.

We require cookies for the following applications:

(1) Adoption of language settings

The user data collected by technically necessary cookies are not used to create user profiles or for other purposes.

This purpose also constitutes our legitimate interest in the subsequent processing of personal data in accordance with Art. 6 para. 1 lit. f GDPR.

3. Duration of Storage, Objection, and Elimination Possibility

Cookies are stored on the user’s computer and transmitted to our site. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies already stored can be deleted at any time. This can also be done automatically. If cookies for our website are deactivated, it may not be possible to use all the functions of the website fully.

V. Web Analysis Using Matomo (formerly PIWIK)

Scope of the Processing of Personal Data

We use the open-source software tool Matomo (formerly PIWIK) on our website.

With Matomo, we can collect and analyze data on how users interact with our website. This allows us to determine, among other things, when specific pages are accessed and from which region. We can also measure whether our users perform certain actions (e.g., clicks).

The software does not place any cookies on the users’ computers.

When individual pages of our website are accessed, the following data is stored:

1. Two bytes of the IP address of the user’s calling system

2. The accessed webpage

3. The webpage from which the user accessed the current page (referrer)

4. The subpages accessed from the current page

5. The time spent on the website

6. The frequency of page visits

The software runs exclusively on the servers of our website. The personal data of users is stored only there. The data is not passed on to third parties.

We use the function “Automatically Anonymize Visitor IPs,” which means the software is configured to not store IP addresses in full but to mask 2 bytes of the IP address (e.g., 192.168.xxx.xxx). This makes it impossible to assign the shortened IP address to the accessing computer, meaning the IP address can no longer be traced back to you.

We also use the function “Replace User ID with a pseudonym,” which means that the User ID sent by your browser is pseudonymized, making it impossible to link it back to you.

Legal Basis for the Processing of Personal Data

The legal basis for processing the users’ personal data is Article 6(1)(f) GDPR.

1. Purpose of Data Processing 

   The processing of users’ personal data enables us to analyze our users’ browsing behavior. By evaluating the collected data, we can compile information on the use of various components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes also constitute our legitimate interest in processing the data under Article 6(1)(f) GDPR. The anonymization of the IP address and pseudonymization of the User ID adequately consider users’ interest in protecting their personal data.

2. Duration of Storage 

   The data is deleted as soon as it is no longer needed for our recording purposes.

3. Objection and Elimination Possibility  

No cookies are stored on the user’s computer or transmitted from there to our site. The collected data is stored anonymously and pseudonymously. The data is not passed on to third parties. Therefore, the user has no possibility of objection.

VI. Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR, and you have the following rights against us:

1. Right to Information 

You can request confirmation from us as to whether personal data concerning you is being processed by us.

If such processing is taking place, you can request information from us about the following:

1. the purposes for which the personal data is being processed;

2. the categories of personal data being processed;

3. the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;

4. the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, the criteria for determining the storage duration;

5. the existence of a right to rectification or erasure of the personal data concerning you, a right to restrict processing by the data controller, or a right to object to such processing;

6. the existence of a right to lodge a complaint with a supervisory authority;

7. all available information on the origin of the data if the personal data is not collected from the data subject. We point out that we only collect personal data from the data subject in the context of providing our website;

8. the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject. We point out that automated decision-making, including profiling, does not take place on our website;

9. you have the right to request information as to whether the personal data concerning you is being transferred to a third country or an international organization. In this context, you can request to be informed of the appropriate safeguards in accordance with Article 46 GDPR in connection with the transfer. We point out that a transfer to a third country does not take place (see section III.2. Location of Processing).

2. Right to Rectification 

You have the right to demand that we rectify and/or complete any personal data concerning you that is incorrect or incomplete.

3. Right to Restriction of Processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

1. if you contest the accuracy of the personal data concerning you for a period that allows us to verify the accuracy of the personal data;

2. if the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use;

3. if we no longer need the personal data for the purposes of processing, but you need them for the establishment, exercise, or defense of legal claims;

4. if you have objected to processing pursuant to Article 21(1) GDPR and it is not yet clear whether our legitimate grounds override your grounds.

If the processing of personal data concerning you has been restricted, such data may only be processed, with the exception of storage, with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a member state.

If the restriction of processing has been restricted under the above conditions, you will be informed by us before the restriction is lifted.

4. Right to Erasure 

You may request that we erase personal data concerning you without undue delay, and we are obliged to erase such data without undue delay where one of the following reasons applies:

1. the personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed;

2. you withdraw your consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal ground for the processing;

3. you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;

4. the personal data concerning you has been unlawfully processed;

5. the erasure of the personal data concerning you is necessary for compliance with a legal obligation in Union or member state law to which we are subject;

6. the personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

a. Notification to Third Parties

If we have made the personal data concerning you public and are obliged to erase it pursuant to Article 17(1) GDPR, we shall take reasonable steps, including technical measures, to inform data controllers who are processing the personal data that you as the data subject have requested the erasure by such data controllers of any links to, or copies or replications of, those personal data, taking into account available technology and the cost of implementation.

b. Exceptions

The right to erasure does not apply to the extent that processing is necessary:

1. for exercising the right of freedom of expression and information;

2. for compliance with a legal obligation that requires processing under Union or member state law to which we are subject or for the performance of a task carried out in the public interest;

3. for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) GDPR;

4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR to the extent that the right referred to in subsection (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing;

5. for the establishment, exercise, or defense of legal claims.

5. Right to Information

If you have exercised your right to rectification, erasure, or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by us.

6. Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to whom the personal data has been provided, where:

1. the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, or on a contract pursuant to Article 6(1)(b) GDPR, and

2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected by this.

The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. As mentioned above, profiling does not take place.

We shall no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.

You have the possibility to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by automated means using technical specifications.

8. Right to Withdraw Consent under Data Protection Law 

You have the right to withdraw your consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data concerning you violates the GDPR.

The supervisory authority to which the complaint has been submitted will inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.