Exabo Exabo

Data Protection Policy


  1. Names and addresses


    1. Name and address of responsible person

      The person responsible within the meaning of the Basic Data Protection Regulation and other national data protection laws of the member states as well as other provisions of data protection law is:


      Universitätsklinikum Frankfurt

      Medizinische Klinik I
      Frankfurter Referenzzentrum für Seltene Erkrankungen (FRZSE)
      Prof. Dr. med. T.O.F. Wagner
      Theodor-Stern-Kai 7
      D-60590 Frankfurt am Main

      Telefon: +49 (0)69 6301-1
      E-Mail: info@ern-lung.eu


    2. Name and address of the statutory data protection officer:


      Universitätsklinikum Frankfurt

      Theodor-Stern-Kai 7
      60590 Frankfurt am Main
      Deutschland

      Telefon: +49 69 6301-5745
      Fax: +49 69 6301-83779
      E-Mail: Datenschutz@kgu.de



  2. General information on data processing


    1. Scope of processing personal data

      Personal user data is only processed if it is necessary for the provision of functions, content or services on the internet platform. The users consent is given before the processing of personal data except in cases in which it is not possible to obtain prior consent for actual reasons or in which processing is permitted by legal framework conditions.


    2. Lawfulness of processing personal data

      Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU Data Protection Basic Regulation (DSGVO) serves as the legal basis. Art. 6 para. 1 lit. b DSGVO serves as a legal basis for the processing of personal data required for the performance of a contract to which the data subject is a party. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

      If the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c DSGVO serves as the legal basis.

      In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.

      If the processing is necessary to maintain a legitimate interest of our institution or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f DSGVO serves as the legal basis for the processing.


    3. Data deletion and storage duration

      The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. In addition, the data may be stored if the European or national legislator has provided for this in Union regulations, laws or other provisions to which the person responsible is subject. The data shall also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless it is necessary for further storage of the data for the conclusion or performance of a contract.

      Hinweis: Über das Recht auf Widerruf der datenschutzrechtlichen Einwilligung vergl. 7.8.



  3. Provision of a website and creation of log files


    1. Description and scope of data processing

      Each time the website is accessed the web hosting provider automatically collects and stores data from the accessing computer.

      The following data are collected while using the platform:

      • Browser type and version
      • The user's operating system
      • The user's internet service provider
      • The user's IP-address
      • Date and time of access
      • Websites, which are accessed by the user's system via our webpage

      These data are stored in our system's log files as well. This does not affect the user's IP address or other data that allows the data to be assigned to a user. These data are not stored together with other personal data from the user.


    2. Legal basis for data processing

      The legal basis for temporary storage of the data is Art. 6 para 1 lit f DSGVO.


    3. Purpose of data processing

      The temporary storage of the IP address through the system is necessary to enable the delivery of the website to the user's computer. To do this, the user's IP address has to be stored for the duration of the session.

      These purposes also include our legitimate interest in data processing pursuant to Art. 6 Para. 1 lit. f DSGVO.


    4. Duration of page session storage

      The data will be deleted, as soon as they are not necessary any more for the purpose of their gathering. In the case of the collection of data for providing the website, this is the case when the respective session has ended. Please refer to section 5 for the duration of storage during registration.


    5. Possibility of objection and removal

      The collection of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. In consequence, there is no possibility for the user to object to this.



  4. Use of cookies


    1. Description and scope of data processing

      Our website uses cookies. Cookies are text files which are stored on the user's operating system in an internet browser and are created when you visit a website. They are used to store bits of information about your interactions with the website. This cookie contains a characteristic text string that allows the browser to be uniquely identified when the website is visited again. We use cookies to make or website more user friendly. Some elements of our website require that the requesting web browser can be identified even after a page change.

      The following data are stored and transmitted in the cookies:

      • log in credentials
      • user information
      • role distribution


    2. Legal basis for data processing

      The legal basis for the processing of personal data using cookies is defined in Art. 6 para. 1 lit. f DSGVO.


    3. Purpose of data processing

      Technical cookies are used to make the website user friendly. Website functionalities cannot be guaranteed without the use of cookies. For these pages it is necessary that the browser is recognized even after page change.

      Cookies are used for the following applications:

      • Logging on
      • For the allocation of internal IDs and other user information
      • Assignment of rights
      The user data collected through technically necessary cookies are not used to create user profiles. Within the framework of the registration process, the user's consent is obtained for the processing of this data. The legal basis for the processing of personal data is Art. 6 para. 1lit. a DSGVO if the user has given his consent.

      If the registration serves the fulfillment of a contract, to which the user is a contracting party, or to pursue pre-contact measures, an additional legal basis for the processing of data is Art. 6 Para. 1 lit. b DSGVO.

      The user registration is required for the provision of certain contents and services on our website. This includes assigning and answering, releasing answered questions and participating in internal discussion rounds to find answers. An identification is necessary to ensure that moderators can pass the question on to the relevant expert and to be able to assign answers and comments by experts to them.

      During the registration process a text should appear such as “I consent to my personal data being stored and processed for the purposes” and “I can arrange for my data to be blocked or deleted in the future”, which has to be confirmed by the user.




  5. Form (to be filled in for question-answering process) and email contact address


    1. Description and scope of data processing

      On our internet platform there is a form to ask questions on all aspects of rare respiratory diseases. The data is entered into an input mask and transmitted to us and stored. This data will not be passed on to third parties. In order to submit a question, the user has to fill in the following data which will be saved and processed:

      • Disease area of rare respiratory diseases (1)
      • Subject (2)
      • Language, in which the question is asked (3)
      • Question (4)
      • Gender (5)
      • Age (6)
      • Role (is the questioner a physician or a patient?) (7)
      • Email address (8)
      • Country of Residence (9)


      The user's consent will be obtained for the processing of the data as part of the sending process and reference will be made to this data protection declaration.
      • Date and time the question was sent


      Alternatively, you can get in touch with us via the e-mail address provided by the system. In this case, the user´s personal data which are transmitted through the email, will be stored.


    2. Legal basis for data processing

      The legal basis for data processing is Art. 6 para. 1 lit. a DSGVO if the user has given his consent.

      If the purpose of registration is to fulfil a contract to which the user is a party or to carry out pre-contractual measures, the additional legal basis for the processing of data is Art. 6 Para. 1 lit. b DSGVO


    3. Purpose of data processing

      User registration is necessary for the provision of certain contents and services on our website. This includes allocating and answering as well as releasing answered questions and participating in internal discussion rounds to find answers to the questions. User identification is necessary to ensure the assignment of questions through the moderator to respective experts and to be able to allocate the comments made by the respective experts.


    4. Duration of storage

      The data will be deleted as soon as they have fulfilled the purpose for which they were collected. This is the case for data that has been collected during the registration process if the registration on our website is either cancelled or modified on our website.


    5. Possibility of objection and removal

      As a user you always have the possibility to cancel your registration. You can have all personal data changed at any time.

      The request of account deletion can be done by email or by phone. Replies that have already been made by the user and published can be retained, deleted or anonymized after notification.



  6. Ask a question template form and contact email-address


    1. Description and scope of data processing

      On our internet platform there is a form to ask questions on all aspects of rare respiratory diseases. In order to submit a question, the user has to fill in the following data which will be saved and processed:


      (1) Disease area of rare respiratory diseases
      (2) Subject
      (3) Language, in which the question is asked
      (4) Question
      (5) Gender
      (6) Age
      (7) Role (is the questioner a physician or a patient?)
      (8) Email address
      (9) Country of Residence

      At the time the message is sent, the following data will also be stored:
      - Timestamp on sent question
      - For data processing

      Your consent will be obtained for data processing as part of the sending process and reference will be made to this data protection declaration. Alternatively, you can get in touch with us via the provided email address. In this case, the personal data of the user, which are transmitted with the email, will be stored.

      In this context, points (1), (2), (3), (4), (5), (6), (9) are passed on to registered, logged in experts via the Internet portal EXABO within the EU for the purpose of answering questions. The operators and developers of the internet portal have access to the database and therefore to your data for the purpose maintaining and further developing the platform and can also carry out manual deletion. The web server of domain Factory is used to send the e-mails. A passing on to third parties is not given in this context.


    2. Legal basis for data processing

      Legal basis for data processing is Art. 6 para. 1 lit. a DSGVO if the user has consented to it. The legal basis for processing the data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f DSGVO. If the e-mail contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.


    3. Purpose of data processing

      The processing of your personal data from the data entry mask serves to provide you an answer to your question. In case you should contact us by email, we will provide you with an answer to your question or, if needed, an extended answer to your question. The other personal data which is processed during the sending process are used to assign and answer questions accordingly. Points (1), (2), (3), (4) and (9) will be published and available in the archive of our internet platform after having been reviewed and answered by our experts, which will be open accessed in form of a question-answering-catalogue which is available to other patients seeking help.


    4. Duration of data processing

      The data will be deleted as soon as they are not necessary anymore for the purpose of their gathering. For the personal data from the contact form and those, that have been sent via email, this is the case, if the question has been deleted from the archive.

    5. Possibility of objection and removal

      The user has the possibility to withdraw his consent for processing of personal data at any time. If the user gets in touch with us, he can object to the storage of his persona data at any time. In this case, questions cannot be answered, or, should an answer have already been published, it can be deleted or its provision restricted for the public. There is a restriction if the user wishes to delete his personal data but still provide the question anonymously. The revocation can be done via the e-mail address info@ern-lung.eu or via telephone number +49 (0)69-6301-1. Please indicate in this context whether you wish to delete your personal data or you agree with us retaining questions, subject and language zone. In case you wish for us to delete all information regarding the inquiry in the question, your data will be irrevocably deleted right after the announcement. Please note that for every question asked you have to object to the storage of your data.



  7. Data subject rights


    If your personal data are processed, you are the data subject within the meaning of the DSGVO and you are entitled to the following rights vis-à-vis the person responsible:


    1. Right to information

      You may request a confirmation form from the data controller stating whether your personal data will be processed by us. In the event of such processing, you may ask the data controller to provide you with the following information:

      • The purposes for which the personal data will be processed
      • The categories of personal data processed

      The recipients or categories of recipients to whom the personal data concerning them have been or will be disclosed; the planned duration time of the storage of your personal data, or, in case specific details are not provided, criteria for defining the duration time of storage of personal data; the existence of a right to rectification or deletion of personal data relating to you; the right to the limitation of the processing by the controller or of a right to object to such processing; the existence of a right of appeal to a supervisory authority; all available information on the origin of the data, if the personal data are not collected from the data subject; the existence of automated decision-making including profiling in accordance with Article 22(1) and (4) DSGVO and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing for the data subject. You have the right to request information as to whether the personal data concerning you will be transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 DSGVO in connection with the transfer.


    2. Right to rectification

      You are entitled to rectification and /or completion of your personal data corrected and completed by the data controller if the personal data processed concerning you is inaccurate or incomplete. The data controller must carry out rectification right away.


    3. Right to limitation of processing

      Under the following conditions you may request a restriction of the processing of your personal data: If you dispute the accuracy of your personal data for a period of time that allows the data manager to review the data for accuracy; if the data processing is unlawful and you refuse deletion of your personal data and instead request the restriction of the use of the personal data; if the responsible data controller no longer requires your personal data for the purpose of data processing, but you need them to assert, exercise or defend legal claims; If you have objected to the processing of personal data pursuant to Art. 21 para. 1 DSGVO and it has not yet been established whether the justified reasons of the data controller outweigh your reasons.

      If the processing of your personal data has been restricted, this data may be processed only with your consent or for the purpose of asserting, exercising or defending legal claims, or for the protection of another natural or legal person, or for reasons of an important public interest of the Union or a Member State. Should the restriction measures of processing of personal data have been made according to the above mentioned prerequisites, you will be informed by the data manager, that the restriction has been revoked.


    4. Right to deletion


      1. Deletion obligation

        You can request immediate deletion of your personal data by the data manager, who is obligated to delete these data, provided one of the following reasons:

        Your personal data are no longer needed for the purposes, for which they have been collected or otherwise processed. You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a DSGVO and there is no other legal basis for the processing. You object to the processing pursuant to Art. 21 para. 1 DSGVO and there are no overriding legitimate reasons for the processing or you object to the processing pursuant to Art. 21 para. 2 DSGVO. The personal data concerning you have been unlawfully processed. The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject. The personal data that have been collected are in respect to the offered services from the information society pursuant to Art. Para. 1 DSGVO.


      2. Information to third parties

        Has the person responsible made the personal data concerning you public and is obliged to delete them pursuant to Art. 17 para. 1 DSGVO, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform the persons responsible who process the personal data that you, as the person concerned, have requested them to delete all links to this personal data or copies or replications of this personal data.


      3. Exceptions

        The right to deletion does not exist if the processing is necessary for the exercise of the right to freedom of expression and information; To fulfil a legal obligation, which the processing requires under the law of the Union or of the Member States to which the controller is subject, or to perform a task which is carried out in public interest, or which was assigned to the responsible controller; for reasons of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) DSGVO; for archive purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 DSGVO, inasmuch as the law referred to under section a) presumably makes the attainment of the objectives of such processing impossible or seriously impairs them, or for the assertion, exercise or defence of legal claims.


    5. Right to information

      If you have exercised the right to rectify, cancel or limit the processing of your personal data against the controller, the latter is obliged to inform all recipients to whom your personal data have been disclosed, of this rectification, cancellation or limitation of the processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed by the controller of such recipients.


    6. Right to data portability

      You have the right to receive the personal data that concern you, which you have provided to the responsible person, in a structured, common and machine-readable format. Furthermore, you are entitled to forward these personal data to another responsible without being hindered by the responsible person to whom the personal data has been provided, insofar as the processing is based on a consent pursuant to Art. 6 para. 1 lit. a DSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to Art. 6 para. 1 lit. b DSGVO and the processing is carried out using automated procedures. In exercising these rights, you also have the right to obtain the direct transfer of your personal data relating to you from one responsible person to another, as far as this is technically feasible. Other person´s freedom and rights must not be affected by this. The right to data transfer does not apply to the mere processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority entrusted to the person responsible.


    7. Right of Objection

      You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Art. 6 para. 1 lit. e or f DSGVO. The responsible person will no longer process the personal data relating to you, unless he can prove compelling reasons that are worthy of protection for processing your data, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If your personal data are processed, for direct advertisement purposes, you have the right to object to the processing of your personal data for the purpose of such advertisement; this also applies for the profiling, provided that it is linked with such advertisement. Should you object to the processing of your data for the purpose of direct advertisement, your personal data will no longer be processed for these purposes. You have the possibility to exercise your right of objection in relation to the use of Information Society services, regardless Directive 2002/58/EC, by means of automated procedures using technical specifications.


    8. Right to revoke the declaration of consent under data protection law

      You have the right to revoke your data protection consent at any time. Revocation will however not affect the lawfulness of the processing of personal data which was carried out on the basis of the consent until revocation.


    9. Automated case-by-case decisions including profiling

      You have the right not to be subject to any decision based solely on automated processing, including profiling, that has any legal effect or affects you in a significant and similar manner. This does not apply when the decision is needed for the conclusion or the fulfillment of a contract between yourself and the responsible data controller, is admissible under the laws of the Union or of the Member States, to which the data controller is subject, and those laws contain appropriate measures to safeguard your rights and freedom and your legitimate interests or are adopted with your explicit consent. These decisions, however, must not be based on specific criteria of personal data pursuant to Art. 9 para. 1 DSGVO, unless Art. 9 para. 2 lit. a or g DSGVO applies and appropriate measures have been taken to protect the rights and freedom as well as your legitimate interests. Regarding the cases referred to in (1) and (3), the responsible person must take appropriate measurements to protect the rights and freedom as well as your legitimate interests, which includes at least the right to obtain the intervention of a person on the part of the responsible person, to state the own point of view and to challenge the decision.


    10. Right of appeal to a surveillance authority

      Without prejudice to any other legal administrative proceedings or judicial remedy, you have the right to send your complaints to a surveillance authority, particularly in the Member State of your place of residence, your place of work or the place of the alleged violations, if you are under the impression that the processing of the respective personal data concerned violates the DSGVO. The surveillance authority, which the complaint is submitted to, informs the complainant about the status and outcome of the complaint and the possibilities of judicial remedy under article 78 DSGVO.

  8. For security reasons this site uses SSL or TLS encryption and to protect the transmission of confidential content, such as requests you send to us as a site operator. You can recognize an encrypted webpage by the fact that the browser´s address bar changes from http:// to https://, as well as a lock icon in the browser bar. If the SSL or TLS encryption is activated, the data you have transmitted to us cannot be read by third parties.

Exabo