Data protection policy

Privacy statement

I. General

The information in this statement applies to the processing of personal data on our website and is intended to inform you of the purposes of the processing, the recipients, legal bases, storage time limits, and your rights. On principle, we process the personal data of our users only where this is necessary to maintain a functioning website and to provide our contents and services. Personal data are all data relating to you personally, such as your name, your address and your email address. Data processing means in particular the collecting, storing, use and transfer of your data.

Where we obtain the consent of the data subject for the processing of personal data, the legal basis is Art. 6 (1) a) of the EU General Data Protection Regulation (GDPR).

In processing personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) b) serves as the legal basis. This also applies when processing is necessary to take steps prior to entering into a contract.

Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) c) of the GDPR serves as the legal basis.

Where processing is necessary to protect the vital interests of the data subject or another natural person, the legal basis is Art. 6 (1) d) GDPR.

If processing is necessary to pursue the legitimate interests of our company or a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, the basis of processing is Art. 6 (1) f) GDPR.

Personal data of the data subject are deleted or access to these data is blocked as soon as the reason for storage no longer applies. Storage may be made after the grounds for storage no longer apply if this is prescribed by law. Blocking or deletion of the data will also occur when a storage time limit prescribed by the above-mentioned norms expires unless there is a need to continue to store the data for conclusion or performance of a contract.

You will find further information on the legal bases of processing and the duration of storage regarding specific personal data in the respective sub-sections.

You will find information on your rights in Section III.

II. Controller

Controller in the meaning of the General Data Protection Regulation and the national data protection legislation of the Member States and other data protection provisions is:

CongO GmbH
Ruffinistrasse 16
80637 Munich
Tel.:+49 89 23757464
Email: info[at]cong-o.de

III. Rights of the data subject

If your personal data are processed, you are the data subject in the meaning of the GDPR and you have the following rights against us:

1. Right to information

You may request information as to whether personal data relating to you are being processed by us. If such processing is taking place, you may request the following information from us:

(1) the purposes for which the personal data are processed;
(2) the categories of personal data that are processed;
(3) the recipient or categories of recipients to whom the personal data relating to you have been disclosed or will be disclosed;
(4) the intended duration of storage of the personal data relating to you or, if specific information on this cannot be provided, the criteria for determining the duration of storage;
(5) the existence of a right to rectification or deletion of the personal data relating to you, a right to restrict processing by the controller and the right to object to this processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) all available information on the source of the data if the personal data were not collected from the person concerned;
(8) the existence of automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR and, at least in these cases, substantive information on the logic involved and the extent of and intended effects of such processing on the person concerned.

You have the right to request information as to whether the personal data relating to you will be transmitted to a third country or an international organisation. In this connection, you may request information on suitable guarantees in connection with the transfer pursuant to Art. 46 GDPR.

2. Right to rectification

You have the right to rectification or completion if the personal data concerning you are inaccurate or incomplete. The rectification must be made without delay.

3. Right to restriction of processing

You may demand restriction of processing of your personal data where one of the following applies:

(1) you contest the accuracy of the personal data concerning you, for a period enabling us to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
(4) you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override your grounds.

Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted under the above-named conditions, you will be informed by the controller before the restriction of processing is lifted

4. Right to erasure

a) You have the right to obtain from us erasure of personal data concerning you without undue delay with the consequence that we shall have the obligation to erase these data without undue delay when one of the following grounds applies:

(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
(4) the personal data concerning you were unlawfully processed;
(5) the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject;
(6) the personal data concerning you have been collected in relation to the offer of information society services pursuant to Article 8(1) GDPR.

b) Information to third parties

Where we have made the personal data public and are obliged pursuant to Article 17 (1) GDPR to erase the personal data, we shall take reasonable steps including technical measures, taking account of available technology and the cost of implementation, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data

c) Exceptions

The right to erasure shall not apply to the extent that processing is necessary

(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.

5. Right of notification

If you have asserted the right to rectification, erasure or restriction of processing against us, we shall be obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed by us about those recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us, where:

(1) the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and
(2) the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from us to another controller, where technically feasible. The rights and freedoms of others may not be adversely affected.

The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

We shall then no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means using technical specifications.

8. Right to revoke the declaration of consent under privacy law

You have the right to revoke your declaration of consent under privacy law at any time. The lawfulness of the processing on the basis of your consent until revocation is not affected by the revocation.

9. Automated individual decision making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

(1) is necessary for entering into, or performance of, a contract between you and us;
(2) is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in (1) and (3), we implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Regardless of any other administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you reside, have your place of work or where the alleged infringement occurred, if in your opinion the processing of the personal data concerning you infringes the GDPR.

The supervisory authority with which you lodge the complaint will inform you of the status and the results of the complaint, including the possibility of seeking judicial remedy pursuant to Article 78 GDPR.

IV. Visiting the website and logfiles

1. Extent of the processing of personal data

Each time our internet page is visited, our system automatically collects the following data and information from the computer system of the accessing computer:

(1) information on the browser type and version used
(2) the user’s operating system and the version used
(3) the URL accessed by the user
(4) the user’s IP address
(5) date and time of access
(6) websites from which the user accesses our internet page

These data are stored in our system’s logfiles.

2.Legal basis for the processing of personal data

The legal basis for collecting and storing the data is Article 6(1) f) GDPR.

3. Purpose of the data processing

The temporary storage of the IP address is necessary for displaying the website to you. For this, your IP address has to be stored for the duration of the visit. The remaining data are collected for technical reasons in order to ensure stability and security.

This also forms the basis of our legitimate interest in processing under Article 6(1) f) GDPR.

4. Duration of storage

The data are deleted as soon as they are no longer required for the purpose for which they were collected. Data collected for the purpose of making the website available are deleted when each visit ends.

In the case of data stored in logfiles, this occurs at the latest within seven days. A longer storage period may occur. In this case, user’s IP addresses are deleted or altered so that it is no longer possible to identify the accessing client.

5. Possibility of objection and removal

Collecting the data for making the website available and storing the data in logfiles is necessary for the operation of the internet page. Hence, the option of objecting is not available to the user.

V. Registering for an event on the website

1. Description and extent of the data processing

a) General information

Our website provides you with the option of registering for participation in events by providing personal data. These data are entered in an entry field, transmitted to us and stored. The following data are always collected in the framework of the registration process:

(1) title
(2) given name
(3) family name
(4) street and house number
(5) postal code
(6) town/city
(7) country
(8) email address
(9) participation in the event and in satellite events where applicable

On registration a temporary customer account is created for you and the following data are also stored:

(1) IP address
(2) date and time of registration
(3) internal system information on the process

In addition, the following data concerning you are also stored if you provide them voluntarily:

(1) billing address if different
(2) institution
(3) department
(4) position
(5) telephone number
(6) fax number
(7) area of medical specialisation
(8) VAT ID

b) personalised entry ticket

Entry tickets are personalised. Personalisation occurs by embedding the following data of the applicant in an encrypted QR code on the ticket:

(1) title
(2) given name
(3) family name
(4) street and house number
(5) postal code
(6) town/city
(7) country
(8) email address

The data contained in this QR code can be read with a special app. At the event, third parties may request you to allow the QR code to be scanned. If you do not wish third parties to collect these data from you, you should not accede to this request. The data can only be read if you hold your ticket directly in front of a scanning device. Disclosure of your data to third parties is not a condition of participating in the event.

Responsibility for data collection and processing lies with the respective third party. That third party’s data protection provisions and privacy statement apply.

c) Payment processing

We work together with the company PaySquare to process payment transactions. To process the transaction, you will be directed to PaySquare’s website and will then be requested to enter your payment data including personal data. Data collection and processing is done by PaySquare. Please take note of PaySquare’s information on data processing and privacy statement.

d) Consent

In the frame of the registration process you will be asked to consent to the processing of these data.

2. Legal basis for the data processing

The legal basis for the data processing where you have given consent is Article 6(1)a) GDPR. If registration is necessary for the performance of a contract to which you are a party or to take steps prior to entering into the contract, processing is also based on Article 6(1)b) GDPR.

3. Purpose of the data processing

It is only possible to register for events via our website by providing the above-named data which is always required. The data provided in the context of your registration are therefore necessary for performance of a contract with you or to take steps prior to entering into a contract. Registration is also necessary for the provision of certain contents and services on our website in the form of the management of billing and delivery addresses. We may also use the collected data to contact the registered user about the event that he/she has booked.

4. Duration of storage

The data are stored for three years from the end of the year in which the registration was made.

5. Possibility of objection and removal

The data are necessary for performance of a contract or to take steps prior to entering into a contract. Hence, early deletion of the data is only possible if not barred by contractual or legal obligations.

6. Recipients

We transmit some personal data we have received in the context of registration to service providers who work with us in processing the contracts we have entered into with you. These providers are our tax advisors, the printer that produces the entry tickets and in some cases companies and individuals that are responsible for the on-site running of the event.

VI. Subscribing to the newsletter during the registration process

1. Extent of the processing of personal data

In the frame of the registration process for an event, you can also subscribe to our newsletter. In this case, we store the email address you previously entered when registering so that we can send you the newsletter. This information will be stored separately from the rest of the data collected during the registration process. At the same time as the request is sent, the following data are also stored:

(1) the user’s IP address
(2) date and time of access

In the frame of the registration process your consent to the processing of the data will be requested and reference will be made to this privacy statement.

2. Legal basis for the processing of personal data

The legal basis for the data processing is Article 6(1)a GDPR.

3. Purpose of the data processing

We collect and store your email address in order to send you the newsletter.

4. Duration of storage

The collected data are stored as long as you subscribe to the newsletter.

5. Possibility of objection and removal

You can revoke your consent at any time with future effect. This can also be done by cancelling your subscription.

VII.  Cookies

1. Extent of the processing of personal data

Our website uses cookies that are technically necessary. Cookies are text files that are stored on your computer. We use cookies to make our website more user-friendly. Some elements of our internet page require that the accessing browser can be identified also after accessing a new page.

2. Legal basis for the processing of personal data

The legal basis for processing personal data by using cookies is Article 6(1)f) GDPR.

3. Purpose of the data processing

The purpose of using technically necessary cookies is to make it easier for you to use our website. Some functions of our internet page cannot be provided without the use of cookies. They need to be able to recognise the browser even after a new page has been accessed.

The user data created by technical cookies will not be used to create legal profiles.

4. Duration of storage

Cookies that are technically necessary are usually deleted when the browser is closed and the session ends. You can also delete cookies that have already been stored at any time.

5. Possibility of objection and removal

Cookies are saved on your device which transmits them to us. Hence, by changing the settings in your browser, you can deactivate or restrict the transmission of cookies. If cookies for our website are deactivated it may no longer be possible for you to make full use of all the website’s functions.

VIII.  Contact form

1. Scope of the processing of personal data

You can use the contact form on our website to contact us. When the contact form is used, the data entered in it are transmitted to us and saved by us. These data include at a minimum the following:

(1) name
(2) email address
(3) your message to us

They also include the following data if you provide them, which are not required to use the contact form:

(1) street and house number
(2) postal code
(3) town/city
(4) country
(5) mobile phone number
(6) land line number
(7) fax number

When a request is sent, the following additional data are also collected and stored:

(1) the user’s IP address
(2) the date and time of access
(3) URL of the accessed site
(4) information on the browser type and version used
(5) user’s operating system and version used

We use the collected data to answer and process your requests. You are not required to provide us with your personal data. However, in that case, we will not be able to answer your request.

2. Legal basis for the processing of personal data

If you send us your data in the context of taking steps prior to entering into a contract, for example, when you request us to send an offer or you have a query regarding our products, the legal basis is Article 6(1)b) GDPR. In all other cases, the legal basis is Article 6(1)f) GDPR.

3. Purpose of the data processing

We process the personal data from the entry field only to deal with your contact request. If a contact request is made by email, this also provides us with the necessary legitimate interest in processing the data.

Other personal data processed when the contact form is sent serve to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Duration of storage

Your data are deleted when the circumstances show that your request or the relevant matter has been finally dealt with.

Personal data collected in addition when the request is sent are deleted after seven days.

5. Possibility of objection and removal

Collection of the data is necessary to deal with the request sent via the contact form. Hence, the user does not have the option of objection.

 

IX. Subscribing to the newsletter without using the registration process

1. Extent of the processing of personal data

On our website you can subscribe to a newsletter. To do this, you must enter your email address in the form provided for this on the website.

Your email address will be transmitted to us and stored by us. When you send your request, the following data will also be collected and stored:

(1) IP address of the user
(2) date and time of access
(3) information on the browser type and version used
(4) user’s operating system and version used

When you complete the form to subscribe to the newsletter, a record is created. In this record, changes you subsequently make to your subscription request are stored. The above data are stored again every time you make a change.

A record is also created of the messages we send you. We store information on which newsletters were sent to you and whether any have been returned.

When you make your subscription request we seek your consent to the processing of these data and refer to this privacy statement.

2. Legal basis for the processing of personal data

The legal basis for processing the data is Article 6(1)a) GDPR.

3. Purpose of the data processing

We collect and store the email address so that we can send you the newsletter.

4. Duration of storage

The collected data will be stored as long as your subscription to the newsletter runs.

5. Possibility of objection and removal

You may revoke your consent with future effect at any time. You can also do this by cancelling your subscription.

X. Google Maps

1. Extent of the processing of personal data

On our website we use Google Maps to show our location. Google Maps is operated by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). When you access our contact page in which Google Maps is integrated, Google places a cookie on your terminal so that, when the page is displayed with the Google Map functions, user configurations and data can be processed for displaying Google Maps.

In addition, through the use of Google Maps information on the use of this website including your IP address and the (start) address entered in the route planning function may be transferred to Google in the USA. When you access our contact page containing Google Maps, your browser creates a direct link with Google’s servers. The map is sent by Google directly to your browser and integrated into the website by Google. According to the information available to us, Google collects the following data in this process:

– date and time of the visit of the website concerned,

– internet address or URL of the accessed website,

– IP address and (start) address entered in the frame of route planning.

2. Legal basis for the processing of personal data

The legal basis for the processing of the user’s personal data is Article 6(1)f) GDPR.

3. Purpose of the data processing

We use Google Maps to show the options for arriving at our location. This purpose provides our legitimate interest in processing the data.

4. Duration of storage and possibility of objection

Cookies are saved on the user’s device and sent by it to us. As the user, you therefore have complete control over the use of cookies. By changing the settings on your internet browser you can deactivate or restrict the use of cookies. Cookies that have already been stored can be deleted at any time. This can also be done by automated means. If cookies for our website are deactivated, this may mean that not all the functions of our website can be used to the full extent.

If you do not wish Google to use Google Maps to collect, process or use your data via our website, you can deactivate JavaScript in your browser settings. However, in this case you will not be able to use the map.

For information on the purpose and extent of the data collection and the further processing and use of the data by Google as well as your rights and your setting options for protecting your privacy, please consult Google’s privacy statement

https://policies.google.com/privacy?hl=en

5. Data recipient and transfer to a third country

The recipient of the data is Google. In cases where personal data are transferred to the USA, a transfer to Google in the USA as a third country as defined in the GDPR is permissible under Articles 44 and 45 GDPR, since with respect to this company an appropriate level of data protection for the USA exists.

On the basis of Article 25(6) of Directive 95/46/EC (1995), there is a decision on adequacy of the European Commission in the form of the so-called EU-US Privacy Shield. The EU-US Privacy Shield is an intergovernmental agreement between the United States of America and the European Union. This agreement provides for the protection of personal data sent from a member state of the European Union to the USA. By means of a self-certification procedure by companies monitored by US government authorities it is ensured that only companies that observe a level of data protection comparable to the EU can process personal data from the EU in the USA. Google has been certified according to the provisions of the EU-US privacy Shield. Hence, with regard to this recipient there is an adequate level of protection despite the lack of a decision on adequacy by the European Commission as provided in Article 45 GDPR. Current certifications can be viewed here:

https://www.privacyshield.gov/list

XI. Google Fonts

1. Extent of the processing of personal data

Our website uses Google Fonts to show typefaces. Google Fonts is a service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). When you access our website, information on the use of this website including your IP address is transmitted to Google in the USA. According to the information available to us, Google collects the following data in this process:

– date and time of the visit of the website concerned,
– internet address or URL of the accessed website,
– IP address.

2. Legal basis for the processing of personal data

The legal basis for the processing of the user’s personal data is Article 6(1)f) GDPR.

3. Purpose of the data processing

We use Google Fonts for the uniform presentation of contents on our website. This purpose also provides our legitimate interest in processing the data.

4. Duration of storage and possibility of objection

For information on the purpose and the extent of the data collection and the further processing and use of your data by Google as well as your rights and your setting options for protecting your privacy, please consult Google’s privacy statement:

https://policies.google.com/privacy?hl=en

5. Data recipient and transfer to a third country

The recipient of the data is Google. In cases where personal data are transferred to the USA, a transfer to Google in the USA as a third country as defined in the GDPR is permissible under Articles 44 and 45 GDPR, since with respect to this company an appropriate level of data protection for the USA exists.

On the basis of Article 25(6) of Directive 95/46/EC (1995), there is a decision on adequacy of the European Commission in the form of the so-called EU-US Privacy Shield. The EU-US Privacy Shield is an intergovernmental agreement between the United States of America and the European Union. This agreement provides for the protection of personal data sent from a member state of the European Union to the USA. By means of a self-certification procedure by companies monitored by US government authorities it is ensured that only companies that observe a level of data protection comparable to the EU can process personal data from the EU in the USA. Google has been certified according to the provisions of the EU-US privacy Shield. Hence, with regard to this recipient there is an adequate level of protection despite the lack of a decision on adequacy by the European Commission as provided in Article 45 GDPR. Current certifications can be viewed here:

https://www.privacyshield.gov/list

XII.  YouTube

1. Extent of the processing of personal data

We have integrated YouTube videos in our website. The   provider is YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you access a page with embedded videos, or at the latest when you access the video, YouTube places a cookie on your terminal. In addition, your IP address is sent to YouTube. If you have a YouTube account and are logged into it, information on your visit to the website and where applicable your accessing of the video will be identified with your user account.

2. Legal basis for the processing of personal data

The legal basis for processing the user’s personal data is Article 6(1)f) GDPR.

3. Purpose of the data processing

We use embedded videos in designing our web pages and to enhance user friendliness. This purpose also provides our legitimate interest in processing the data.

4. Duration of storage and possibility of objection

Cookies are saved on the user’s device and sent by it to us. As the user, you therefore have complete control over the use of cookies. By changing the settings on your internet browser you can deactivate or restrict the use of cookies. Cookies that have already been stored can be deleted at any time. This can also be done by automated means. If cookies for our website are deactivated, this may mean that not all the functions of our website can be used to the full extent.

For information on the purpose and extent of the data collection and the further processing and use of the data by YouTube as well as your rights and your setting options for protecting your privacy, please consult YouTube’s privacy statement

https://policies.google.com/privacy?hl=en

5. Data recipient and transfer to a third country

The recipient of the data is YouTube. In cases where personal data are transferred to the USA, a transfer to YouTube in the USA as a third country as defined in the GDPR is permissible under Articles 44 and 45 GDPR, since with respect to this company an appropriate level of data protection for the USA exists.

On the basis of Article 25(6) of Directive 95/46/EC (1995), there is a decision on adequacy of the European Commission in the form of the so-called EU-US Privacy Shield. The EU-US Privacy Shield is an intergovernmental agreement between the United States of America and the European Union. This agreement provides for the protection of personal data sent from a member state of the European Union to the USA. By means of a self-certification procedure by companies monitored by US government authorities it is ensured that only companies that observe a level of data protection comparable to the EU can process personal data from the EU in the USA. As a subsidiary of Google, YouTube has been certified together with Google according to the provisions of the EU-US privacy Shield. Hence, with regard to this recipient there is an adequate level of protection despite the lack of a decision on adequacy by the European Commission as provided in Article 45 GDPR. Current certifications can be viewed here:

https://www.privacyshield.gov/list