Privacy Policy & Imprint

Privacy Policy

I. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (“GDPR”) and other applicable data protection provisions is:

CMS Cellex Medical Services GmbH

Melli-Beese-Str. 9-11

50829 Cologne

Email: cms-info@cellex.me

Telephone: +49 221 2509-2630

Commercial Register: Cologne Local Court

Commercial Register Number: HRB 96105

Managing Directors authorised to represent the company: Prof. Dr. med. Gerhard Ehninger, Dr. Armin Ehninger

Tax Number: 217/5717/3035

II. Contact Details of the Data Protection Officer

Data Protection Officer of CMS Cellex Medical Services GmbH

Email: datenschutz@cellex.me

Telephone: +49 221 2509 2985

III. Information on Locations

The company and billing address of CMS Cellex Medical Services GmbH is:

Melli-Beese-Str. 9-11, 50829 Cologne

Services related to donor registration, collection and examinations may be carried out at the following location:

Im Mediapark 5C, 50670 Cologne

Where different addresses are stated on our website or in connection with individual services, this reflects the distinction between the company headquarters and billing address on the one hand and the operational site for donor registration, collection and examinations on the other hand.

IV. General Information on Data Processing

1. Scope of the Processing of Personal Data

As a rule, we process the personal data of our users only to the extent necessary to provide a functional website and our content and services. Where processing is not technically or legally required, it will only take place with the user’s consent.

2. Legal Bases for the Processing of Personal Data

Where we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis.

Where personal data is processed for the performance of a contract or for the implementation of pre-contractual measures, Article 6(1)(b) GDPR serves as the legal basis.

Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.

Where processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR serves as the legal basis.

Where information is stored on terminal equipment or access is gained to information already stored on terminal equipment, the permissibility of such processing is additionally governed by the relevant provisions of the German Telecommunications Digital Services Data Protection Act.

3. Erasure of Data and Storage Period

The personal data of the data subject will be erased or its processing restricted as soon as the purpose of storage no longer applies. Data may be stored beyond that point only where this is provided for by European or national legislation or is necessary for the establishment, exercise or defence of legal claims.

V. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.

The following data may be collected:

– Information about the browser type and the version used

– The user’s operating system

– The user’s IP address

– Date and time of access

– Websites from which the user’s system accesses our website

– Websites accessed by the user’s system via our website

– Volume of data transferred

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Legal Basis for Data Processing

The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.

3. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s device. Storage in log files takes place in order to ensure the functionality of the website and the security and stability of our information technology systems.

4. Duration of Storage

The data is erased as soon as it is no longer necessary for the purpose for which it was collected, unless statutory retention obligations prevent erasure.

5. Possibility of Objection and Removal

The collection of data for the provision of the website and the storage of data in log files is strictly necessary for the operation of the website. Consequently, the user has no option to object.

VI. Cookies, Consent Management and Similar Technologies

1. Description and Scope of Data Processing

Our website uses cookies and comparable technologies. These are pieces of information stored on the user’s device or enabling access to information already stored there.

We use technically necessary technologies to provide the website in a secure and user-friendly manner. In addition, where required, we use technologies requiring consent only if the user has given prior consent.

We use the CookieFirst service to obtain, manage and document consent.

In particular, the following data may be processed:

– Consent status and the user’s individual selection

– Timestamp of consent or withdrawal

– Technical information about the browser and end device

– Language settings

– Pseudonymous identifiers

– Log data relating to the display and management of the consent banner

2. Legal Bases for Data Processing

We process technically necessary cookies and technologies on the basis of the relevant statutory provisions and – where personal data is involved – on the basis of Article 6(1)(f) GDPR.

We use non-essential cookies and comparable technologies only on the basis of consent pursuant to Article 6(1)(a) GDPR.

3. Purpose of Data Processing

The use of technically necessary technologies serves to provide our website in a secure, stable and user-friendly manner. Consent management serves to obtain, document and manage consents in a legally compliant way.

4. Duration of Storage

The specific storage period of individual cookies, consent information and similar technologies depends on their respective function and technical configuration.

5. Withdrawal and Removal Option

The user may withdraw or modify any consent given at any time with effect for the future via the cookie settings on our website.

VII. Web Analytics with Matomo

1. Description and Scope of Data Processing

We use Matomo on our website, an open-source software application for analysing the usage behaviour of visitors to our website.

In particular, the following data may be processed:

– Shortened or masked IP address

– Pages and subpages accessed

– Referrer URL

– Length of stay

– Frequency of page views

– Browser and device information

Where Matomo is configured in a privacy-friendly manner, processing takes place with particular regard to data minimisation.

2. Legal Basis for Data Processing

Where Matomo is used for analytics purposes, this takes place on the basis of the user’s consent pursuant to Article 6(1)(a) GDPR.

3. Purpose of Data Processing

Processing takes place for the statistical evaluation of the use of our online offering, for reach measurement and for improving the user-friendliness and content of our website.

4. Duration of Storage

The data collected is erased as soon as it is no longer necessary for the aforementioned purposes. If anonymised evaluation data is stored, it is erased in accordance with the technically defined retention periods.

5. Right of Withdrawal

The user may withdraw any consent given at any time with effect for the future via the cookie settings.

VIII. Embedded Content and Third-Party Providers

1. Vimeo

Vimeo video content may be embedded on our website. When a page containing embedded Vimeo content is accessed, personal data may be transmitted to Vimeo, in particular the IP address, technical browser and device information, and usage data.

Vimeo content is embedded only after the user has given prior consent, insofar as this is technically required.

The legal basis for processing is Article 6(1)(a) GDPR.

2. Social Feed / Elfsight

The Elfsight service may be used on our website to display social feed or widget content. Depending on the specific implementation, personal data may be processed, in particular technical connection data, IP address, browser and device information, and interaction data.

Where content is loaded via Elfsight and is not technically necessary, such content is integrated only after the user has given prior consent.

The legal basis is Article 6(1)(a) GDPR.

3. Third-Country Transfers in Connection with Third-Party Services

To the extent personal data is transferred to countries outside the European Union or the European Economic Area in connection with embedded content or third-party services, such transfer shall be governed by the statutory requirements of Articles 44 et seq. GDPR. Further general information on third-country transfers can be found in Section XII.

IX. Contact by Email

1. Description and Scope of Data Processing

It is possible to contact us via the email addresses provided. In this case, the personal data transmitted with the email will be stored.

In this context, the data will not be passed on to third parties unless this is necessary for handling the request. The data will be used solely for processing the enquiry and the associated correspondence and, where necessary, for further internal case handling in administrative and ERP systems, in particular Microsoft Dynamics 365.

2. Legal Basis for Data Processing

The legal basis for processing the data transmitted in the course of sending an email is generally Article 6(1)(f) GDPR.

If the email contact is aimed at concluding or performing a contract, the additional legal basis is Article 6(1)(b) GDPR.

3. Purpose of Data Processing

Processing serves exclusively to handle the contact request and the associated correspondence.

4. Duration of Storage

The data is erased as soon as it is no longer necessary for the purpose for which it was collected and no statutory retention obligations prevent erasure.

5. Possibility of Objection and Removal

The user has the option at any time to object to the processing of their personal data in connection with making contact. In such a case, the conversation may not be able to be continued.

X. Registration in the Cell Community

1. Description and Scope of Data Processing

As part of the registration process for the Cell Community, we process the personal data that you provide during registration. This may also include health data insofar as such data is necessary for registration, the assessment of your potential suitability as a donor, the performance and documentation of related medical examinations, and the preparation, organisation and implementation of a possible cell donation.

The provision of certain information, including individual items of health data, is necessary for registration and for the assessment of donor suitability. Without this information, registration may not be possible or may only be possible to a limited extent.

2. Legal Basis for Data Processing

Processing is carried out on the basis of your consent pursuant to Article 6(1)(a) GDPR in conjunction with Article 9(2)(a) GDPR, insofar as health data is processed. Where pre-contractual measures, legal obligations or legitimate interests apply in individual cases, processing is carried out additionally on the basis of Article 6(1)(b), (c) or (f) GDPR.

3. Purpose of Data Processing

Processing takes place for the purpose of registration in the Cell Community, assessing your potential suitability as a donor, performing and documenting related medical examinations, and preparing, organising and carrying out a possible cell donation.

4. Recipients or Categories of Recipients

To the extent necessary for the above purposes, your data may be transmitted to external testing laboratories, medical institutions, cooperating research institutions and other bodies involved in donor assessment, donation preparation or donation performance. Further information on internal further processing in administrative and ERP systems can be found in Section XI.

5. Duration of Storage

The data collected during registration will be stored only for as long as is necessary to achieve the above purposes. Data may be stored beyond that point only where statutory retention obligations exist or where this is necessary for the establishment, exercise or defence of legal claims.

6. Right of Withdrawal

Any consent given may be withdrawn at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

XI. Further Processing of Data in Internal Administrative and ERP Systems

1. Description and Scope of Data Processing

To the extent personal data is transmitted to us via our website, by email, or in the context of enquiries, registrations, appointment coordination or the provision of our services, such data may be processed further in our internal administrative and ERP systems. This also includes the ERP system Microsoft Dynamics 365 provided by Microsoft.

In particular, the following categories of data may be processed:

– Master and contact data (e.g. name, address, email address, telephone number)

– Communication data (e.g. contents of enquiries, correspondence, appointment information)

– Contract, service and transaction data

– Billing and accounting data

– Organisational and case data

Processing takes place only insofar as this is necessary for handling the respective matter, carrying out pre-contractual measures, performing a contract, complying with legal obligations or ensuring proper internal administration.

2. Legal Basis for Data Processing

Where processing is necessary for carrying out pre-contractual measures or for the performance of a contract, the legal basis is Article 6(1)(b) GDPR.

Where processing is necessary for compliance with a legal obligation to which our company is subject, the legal basis is Article 6(1)(c) GDPR.

Where processing is necessary for the purposes of the legitimate interests pursued by our company, in particular for the efficient organisation of internal administrative processes, case management, IT security, and the establishment, exercise or defence of legal claims, the legal basis is Article 6(1)(f) GDPR.

Where, in an individual case, processing is based on consent, the legal basis is Article 6(1)(a) GDPR.

3. Purpose of Data Processing

Processing in internal administrative and ERP systems takes place in particular for the following purposes:

– Handling and responding to enquiries

– Planning, organising and performing our services

– Managing contacts and cases

– Contract initiation and contract performance

– Invoicing, accounting and internal administration

– Compliance with statutory documentation and retention obligations

4. Recipients or Categories of Recipients

Personal data is disclosed only to the extent necessary to fulfil the above purposes or where a legal obligation exists.

Recipients may in particular include:

– Internally responsible specialist departments

– IT and software service providers

– Microsoft Ireland Operations Limited, Microsoft Corporation and other companies involved in the provision of Microsoft Dynamics 365, insofar as this is necessary in connection with provision, hosting, maintenance, administration or support

– Providers of hosting and IT infrastructure

– Tax advisers, auditors and other advisers bound to confidentiality

– Authorities and public bodies, where a legal obligation exists

Where external service providers act on our behalf, this takes place on the basis of a data processing agreement pursuant to Article 28 GDPR, provided that the legal requirements are met.

5. Duration of Storage

Personal data is stored only for as long as is necessary to achieve the respective purposes. Data may be stored beyond that point only where statutory retention obligations exist or where this is necessary for the establishment, exercise or defence of legal claims.

XII. Third-Country Transfers

Personal data is transferred to countries outside the European Union (EU) or the European Economic Area (EEA) only where the special requirements of Articles 44 et seq. GDPR are met.

This may in particular be the case where we use third-party services on our website or in connection with our administrative and IT systems. This also applies in connection with the use of Microsoft Dynamics 365 where personal data is processed by Microsoft or companies affiliated with Microsoft and a transfer to a third country, in particular the United States, cannot be ruled out.

Such a transfer takes place only on the basis of the safeguards provided for by law, in particular:

– an adequacy decision of the European Commission,

– appropriate safeguards pursuant to Article 46 GDPR, in particular through the conclusion of standard contractual clauses,

– or, where applicable, another exception permitted by law.

Where a third-country transfer takes place in connection with individual services or systems, we will provide information about this in the relevant sections of this Privacy Policy where required under data protection law.

Further information about any third-country transfers and the safeguards in place may be requested using the contact details provided above.

XIII. Rights of the Data Subject

Where your personal data is processed, you are a data subject within the meaning of the GDPR. In particular, you have the following rights vis-à-vis the controller:

1. Right of Access

You may request confirmation from the controller as to whether personal data concerning you is being processed. Where such processing takes place, you may request access to that personal data and to the information referred to in Article 15 GDPR.

2. Right to Rectification

You have a right to rectification and/or completion where the personal data concerning you that is processed is inaccurate or incomplete.

3. Right to Restriction of Processing

Under the statutory conditions, you have the right to request the restriction of processing of your personal data.

4. Right to Erasure

You may request that personal data concerning you be erased without undue delay where the statutory requirements of Article 17 GDPR are met.

5. Right to Notification

Where you have exercised your right to rectification, erasure or restriction of processing, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed, insofar as this is required by law.

6. Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format, provided that the statutory requirements are met.

7. Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you where processing is based on Article 6(1)(e) or (f) GDPR.

8. Right to Withdraw a Data Protection Consent Declaration

You have the right to withdraw a data protection consent at any time with effect for the future.

9. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR.