Notes on data protection at DKMS BMST Foundation India

1. Overview

1.1. These Data Protection Regulations have been drawn up to provide you with an overview of how we record, save, process, pass on or transmit your data when you visit our website or use the services offered on our website.

1.2. When processing your personal data, we adhere the principles of the data protection specifications of the EU General Data Protection Regulation (GDPR) and the Information Technology Act, 2000, the Indian Contract Act, 1872 and as per the applicable laws of India.

1.3. Personal data comprises all data that relates to you personally, including your IP address, name, address, e-mail data and user behavior.

1.4. We reserve the right to modify the content of these Data Protection Regulations. We therefore recommend that you consult the Data Protection Regulations again at regular intervals.

1.5. The controller as per Art. 4 para. 7 of the EU General Data Protection Regulation (GDPR) is DKMS BMST Foundation India (see imprint ). You can reach our data protection officer at dataprotection@dkms-bmst.org or by writing to our postal address with the addendum “the data protection officer”

2. What personal data do we process?

We record data relating to you when you visit our website or use our services offered on the website. Depending on how you use our website, this may comprise the following information:

2.1. Purely informational use: You can visit our website without providing any personal data. When you use the website for purely informational purposes, in other words if you do not use our homepage to donate money, complete a contact form or otherwise transmit any information to us, we do not record any personal data, with the exception of the data that your browser automatically transmits to our server in order to allow you to visit our website. If you wish to view our website, we record the following data, which is technically necessary in order for us to display our website to you as well as to ensure stability and security:

• IP address

• Time and date of the inquiry

• Time zone difference compared to Greenwich Mean Time (GMT)

• Content of the request (specific page)

• HTTP status code

• Website from which the request comes

• Browser

• Operating system and its user interface

• Language and version of the browser software

This information relates to the computer system used. We use this data (with the exception of your computer’s IP number) solely for statistical purposes, to measure demand for our web content and services. We simply record this data cumulatively for all users of the website, meaning that it is not possible to assign the data to a specific person. This data is not merged with data from other data sources.

2.2. In addition to providing a website for purely informational purposes, we provide you with various services (donating money, ordering a registration set, contact form), which you can use if interested. To do this, you usually need to specify further personal data, which we require in order to provide the respective service.

2.2.1. Contact via e-mail or contact form: If you contact us by e-mail or one of the contact forms provided when visiting our website, we will additionally process and save the data that you have provided (your e-mail address and, possibly, your name and phone number) in order to answer your questions. The data of users may be saved in a customer relationship management system (CRM system) or some comparable system.

2.2.2 . Donating money via our website: If you would like to use the option provided on our website to donate money, we will additionally process the data you share in this process that is required to perform the requested transaction. Here, the processing of your personal data depends on the selected payment method:

Payment by credit card: When you select payment by credit card, we process your name, address and e-mail address to perform the required payment transaction and to send you confirmation of donation, if required.

Payment by bank transfer: If you decide to pay via bank transfer, we do not process any personal data other than that which is processed when you visit our website purely for information purposes.

2.2.3. Ordering a registration set: When you visit our website, if you decide to order a set to register as a stem cell donor, we process your name, address e-mail address and information on your lineage as well as your phone number if you have given us this.

2.2.4. Links to websites of third-party providers

At various places on our website there are links to the websites of third-party providers. After clicking on the link provided, you are forwarded to the website of the third-party provider concerned. In the process of forwarding, user information is transmitted to the third-party provider. If you send information to or via these sites of third-party providers, we recommend that you read the data protection regulations for these sites before providing them with any further information that can be assigned to you personally. For information with regard to how your data is handled while using the websites of third-party providers, please refer to the respective data protection regulations of the third-party providers. We are not responsible for their operation, including how they handle data.

3. For what purpose do we process your personal data?

3.1. We only process your personal data to the extent that is necessary in order to provide a working website and to provide our content and services. Personal data is only processed on a regular basis where this is permitted by statutory provisions or where the person concerned has given consent.

3.2. If you use our website for purely informational purposes , we record only the data that is technically necessary in order for us to display our website to you as well as ensure stability and security

3.3. When you contact us by e-mail or via a contact form, your personal data will only be used for the purpose of answering your request.

3.4. If you use our website to donate money , your data shall be processed only to the extent that this is necessary to fulfill the donation contract.

3.5. If you use our website to request delivery of a registration set , we shall use the data you provide in this process to send you the registration set via post and to accelerate the important registration process. The information on your lineage shall be used solely in order to subsequently pre-complete the declaration of consent to be delivered via post with the specified data and thereby to accelerate the processed relating to the registration procedure. Here, we process your e-mail address solely for the purpose of any existing queries and information relating to the registration set order. The legal basis for processing your personal data is the consent you give here

4. How do we process your personal data?

When you use our website, your data is transmitted to us in encrypted form in order to prevent access by unauthorized third parties. We save your data on specially protected servers. Access to personal data is only possible for a few DKMS-BMST employees with special authorization, all of whom are familiar with the relevant Data Protection Regulations and compelled to comply with them.

5. Is personal data passed on to third parties?

Only our employees gain knowledge of your personal data. In addition, where this is prescribed or permitted by law, we share your personal data with recipients who provide services for us. The reason for this is that, in order to be able to perform our duties, we need to work together with service providers, who may also have to process personal data for this purpose. We restrict the forwarding of your personal data to what is really necessary. The service providers have been carefully selected and commissioned by us, are bound by our instructions and are monitored on a regular basis. They are bound by a contract with DKMS-BMST to ensure that any personal data that they receive in this context is used only for the allowed purpose. We assure you that we do not sell or rent your data to any other companies or organizations. We will under no circumstances use your e-mail address or other data without your agreement for any other purposes for which you have not given your consent.

The providers commissioned by us include, in particular:

• Service providers, financial institutions, payment providers.

6. How long do we save your personal data?

6.1. We will only save any personal data that you have transmitted or provided until the purpose for doing so has been fulfilled, until you revoke your consent, until you object to the data being processed or until you request the deletion of your data.

6.2. If you use the website for purely informational purposes, we will save your data on our servers only for the duration of your visit to our website. Once you leave our website, your data will be immediately deleted.

6.3. If you contact us by e-mail or one of the contact forms provided when using our website, we will delete any data recorded in this context once it is no longer necessary to save the data or will restrict processing if any statutory storage obligations exist. We check necessity on a regular basis.

6.4. If you have used our website to donate money and we processed data to issue you with confirmation of the donation we will save your data until you revoke your consent to the data being processed or until you request the deletion of your data in accordance with the procedure described under item 8. In this case, your data will be blocked and then deleted once any statutory archiving periods have expired.

6.5. If you have used our website to order a registration set, we will save the personal data you share with us in this process until the related procedure has been completed through return of the registration set. If the set is unexpectedly not returned within a certain period of time, we will make two attempts to contact you and request return by e-mail. If this elicits no response, your data will be blocked, i.e. you will no longer receive any messages from us. The data can then only be viewed to a limited extent by a few of employees to prevent renewed orders of registration sets for the same person in cases where a registration set has not been returned. Once this purpose is also no longer valid, your data will be deleted.

6.6. If you have returned the registration set and the signed declaration of consent contained within it to us, your personal data shall be processed further on the basis of this declaration of consent.

7. Why am I receiving information or newsletters from DKMS-BMST?

7.1. You receive medical information, messages regarding process changes, or general information regarding your specific process if you have donated money, ordered a registration set or registered as a stem cell donor with us. This information relates exclusively to processes and does not involve advertising mails.

7.2. We would like to inform you about why it is important for us to remain in contact with you, particularly if you are a registered stem cell donor. Transfer of the information specified under item 7.1. is essential for an efficient procedure for a potential stem cell donation. The purpose of this is primarily to remain in contact with our donors and thus to remind you about your registration as a potential stem cell donor, which may have been several years ago. Maintaining a minimum level of contact increases the possibility of giving someone a second chance at life. This is the only way for us to guarantee that our potential stem cell donors are available and can be reached and, in the event of a “match” with an ill patient, to ensure that our donors can actually be reached using the contact data we have stored. In the event of a stem cell donation, it is essential that the potential donor is available, as time is of the essence for the affected patient.

7.3. Provided you have given your consent, in addition to the information specified under item 7.1, you will also receive newsletters (advertising e-mails) that contain only general information regarding our activities.

7.4. If you no longer wish to receive the newsletter in the future, you can cancel this service at any time without providing a reason for this. To do so, click on the unsubscribe link in one of our newsletters or please send us an e-mail with the subject “NONEWS” to nonews@dkms-bmst.org or tell us this using the contact data in the imprint .

8. What rights do I have?

8.1. You have the following rights with regard to your personal data that we process:

• Right to information

• Right to correction or deletion

• Right to restriction of processing

• Right to object to processing

• Right to data portability

8.2. If you have given your consent for us to process your personal data, you can revoke this at any time. Once you have pronounced such a revocation to us, this affects the permissibility of processing your personal data. It is possible here to restrict the revocation of consent to process your personal data to specific purposes such as a newsletter (restriction of processing).

8.3. If you wish to exercise your rights described above, please submit your request to: DKMS BMST Foundation India, 723, CMH road, Indiranagar 1st stage, Bangalore- 560038 or by email to dataprotection@dkms-bmst.org

8.4. You also have the right to lodge a complaint with a data protection supervisory authority about the way in which we process your personal data.

9. How do we use cookies?

9.1. In addition to the data specified above, we use cookies to make our website available to you. Cookies are small text files that are saved on your hard disk, assigned to the browser that you use, and which supply certain information (see below for details) to the party that set the cookie (in this case to us). Cookies cannot execute any programs or transfer viruses to your computer. They have the purpose of making the website as a whole more user-friendly and more effective.

9.2. We use cookies in order to make our website available to you with their technical information (necessary cookies). In addition, we use cookies for the purpose of web analysis.

9.3. You can configure your browser setting in accordance with your wishes and, for example, reject the acceptance of third-party cookies or even all cookies. Moreover, by selecting appropriate settings in your Internet browser, you can prevent or restrict the installation of cookies. At the same time, cookies that have already been saved can be deleted at any time. However, the steps and measures that are necessary to do so depend on the specific Internet browser that you use. If you have any questions, therefore, please refer to the help function or documentation for your Internet browser or contact the corresponding manufacturer or support. Likewise, you can opt out of using cookies from certain providers, for example via http://www.youronlinechoices.com/uk/your-ad-choices or http://www.networkadvertising.org/choices/ . Please note that you may not be able to use all the functions of this website if you do this.

9.4. This website uses the following types of cookies, the scope and function of which are explained below:

9.4.1. Transient cookies: Transient cookies are deleted automatically when you close the browser. These include session cookies, in particular. These save a so-called session ID that can be used to assign various requests from your browsers to the shared session. This enables your computer to be recognized if you return to our website. The session cookies are deleted when you log out or close the browser.

9.4.2. Persistent cookies: Persistent cookies are automatically deleted after a specified duration, which may differ depending on the cookie. You can delete cookies at any time in your browser’s security settings.

9.5. We also use HTML5 storage objects, which are stored on your device. These objects save the required data regardless of the browser you use and do not have an automatic expiry date. You can prevent the use of HTML5 storage devices by setting your browser to private mode. We also recommend regularly deleting your cookies and browser history manually.

10. Use of Piwik Pro analytics

10.1 We process personal data based on consent according to Art. 6(1)(a) GDPR, which you are free to give or refuse. You’ll see consent options when you visit our website for the first time. You can change your decisions at anytime by clicking the button below. If you change your decision it will not affect the lawfulness of processing based on consent before its withdrawal.

Purpose: improve site user interface, optimize sales and marketing content
Personal data used: browser cookie, browsing behavior on piwik.pro, device information, IP address
First party involved: Piwik PRO

Piwik PRO Analytics Suite is an analytics and customer data platform. It collects first-party data about website visitors based on cookies, IP and fingerprinting; we create user profiles based on user browsing history and calculate metrics related to website usage such as bounce rate, depth of visits, page views etc. We host our solution on Microsoft Azure infrastructure in the Netherlands and the data is stored for a period of 25 months. (Purpose of processing data: Analytics, Conversion tracking based on consent, Legal basis: Art. 6 (1)(a) GDPR).

11. Use of AddSearch site search

11.1 DKMS uses AddSearch on this website. AddSearch does not store personal data longer than is legally permitted and necessary for the purposes of providing the Services or the relevant parts thereof. The storage period depends on the nature of the information and the purposes of processing. The maximum period may therefore vary per use.

12. What social media plug-ins do we use?

12.1. Our website uses social media plug-ins from various social networks. If you open a page of our website that contains such a plug-in, your browser will establish a direct connection to the servers of the social networks. The social networks will transmit the content of the plug-in directly to your browser, which will incorporate it into the website.

12.2. As a result of the integration of the plug-ins, the social networks are informed that you have accessed the corresponding page on our website. If you are logged into one or more social networks, the networks concerned can assign the visit to your account. If you interact with the plug-in, for example by selecting the “Like” button or sending a Tweet, your browser will send the corresponding information directly to Facebook or Twitter, where it will be stored.

12.3. We do not bear any responsibility for services of third parties such as Twitter or Facebook that are linked to our website. Such third-party providers are not able to assign the IP addresses to any other personal data that is collected via the DKMS-BMST website. Further information regarding data collection by third-party providers can be found on the respective websites of these providers.

12.4. We currently use the following social media plug-ins: Facebook, Twitter, Instagram. We provide you with the option of communicating with the provider of the plug-in directly by clicking the button. The plug-in provider is informed that you have accessed the corresponding page of our website only if you activate the selected field by clicking it. The data specified in item 2.1. of this privacy statement is also transmitted. In the case of Facebook, according to the statement of the respective provider in Germany, the IP address is anonymized as soon as it has been recorded. When the plug-in is activated, therefore, personal data relating to you is transmitted to the respective plug-in provider and stored there (in the USA in the case of US providers). As the plug-in provider collects data in particular by means of cookies, we recommend that you use the security settings in your browser to delete all cookies before clicking on the grayed-out box.

12.4.1. We have no influence over the data collected or the data processing operations, and we are not aware of the complete scope of data collection, the purposes of processing or the retention periods. Neither do we have any information regarding the deletion of the collected data by the plug-in provider.

12.4.2. The plug-in provider stores the data collected regarding you in the form of usage profiles, which it uses for the purposes of advertising, market research and to tailor its website to meet user needs. Such evaluation takes place in particular (also for users who are not logged in) in order to display tailored advertising and inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles. To exercise this right, you must contact the plug-in provider concerned. Our aim in providing the plug-ins is to enable you to interact with the social networks and other users so that we can improve the content and services we offer and make them more interesting for you as user. The legal basis for using the plug-ins is Art. 6 para. 1 (f) of the GDPR.

12.4.3. The data is forwarded regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the plug-in provider, your data collected on our website will be directly assigned to your existing account with the plug-in provider. If you click the activated button and, for example, link the page, the plug-in provider will also store this information in your user account and share it openly with your contacts. We recommend that you regularly log out after using a social network, especially before activating the button. In this way, you can prevent any assignment to your profile with the plug-in provider.

12.4.4. Further information regarding the purpose and scope of data collection and processing by the plug-in provider can be found in the privacy statements of these providers as specified below. You will also find further information there regarding your rights in this respect and the possible settings that can be used to protect your privacy.

12.4.5. Addresses of the respective plug-in providers and URLs containing their privacy notices:

• Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

• Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://policies.google.com/technologies/partner-sites?hl=en. Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

• Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

• Instagram: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, https://help.instagram.com/519522125107875?helpref=page_content.

13. How are YouTube videos integrated?

13.1. We have incorporated YouTube videos into our website that are stored at http://www.YouTube.com and can be played directly from our website.

13.2. When you visit the website, YouTube is informed that you have accessed the corresponding subpage of our website. The data specified in item 2.1. of this privacy statement is also transmitted. This takes place regardless of whether YouTube provides a user account via which you are logged in or whether no user account exists. If you are logged into a Google account, your data will be directly assigned to your account. If you do not want the data to be assigned to your profile with YouTube, you must log out before activating the button. YouTube stores your data in the form of usage profiles, which it uses for the purposes of advertising, market research and to tailor its website to meet user needs. Such evaluation takes place in particular (also for users who are not logged in) in order to provide tailored advertising and inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles. To exercise this right, you must contact YouTube.

13.3. Further information regarding the purpose and scope of data collection and processing by YouTube can be found in the privacy statement. You will also find further information there regarding your rights and the possible settings that can be used to protect your privacy: https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

14. Questions and comments

Do you have any questions regarding our Data Protection Regulations? Please contact our data protection officer at dataprotection@dkms-bmst.org