This privacy policy explains the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) in connection with the use of our online offering and the associated websites and social media profiles (hereinafter collectively referred to as “online offering”).
With regard to the terms used, such as “processing” or “controller,” we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
The data protection information for our application process can be found
here, for our customers and business partners
here.
Responsible party
Hygiene Institute of the Ruhr Area
Institute for Environmental Hygiene and Toxicology
Rotthauser Str. 21
45879 Gelsenkirchen
Phone:
Fax
Email: info(at)hyg.de
Sponsor of the institute
Association of the Hygiene Institute of the Ruhr Area e.V., Gelsenkirchen
Our data protection officer
We have appointed a data protection officer. You can contact them using the following contact details:
Association for the Prevention of Common Diseases in the Ruhr Coal Mining Area e.V.
- The Data Protection Officer -
Rotthauser Str. 19
45879 Gelsenkirchen
datenschutzbeauftragter@hyg.de
Types of data processed
In connection with your use of our online offering, we process the following types of data:
- Inventory data (e.g., names, addresses).
- Contact data (e.g., email addresses, telephone numbers).
- Content data (e.g., text entries, photographs, videos).
- Usage data (e.g., websites visited, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).
- Applications
Categories of data subjects
Visitors and users of the online offering (hereinafter, we also refer to the data subjects collectively as “users”).
Purpose of processing
- Provision and optimization of the online offering, its functions, and content.
- Responding to contact requests and communicating with users.
- Security measures.
- Carrying out application procedures
Relevant legal basis
Unless this privacy policy expressly refers to a legal basis, we process your data on the following legal bases:
If you have given your consent to the processing of your data, the legal basis is Art. 6 (1) lit. a) and Art. 7 GDPR. If we process your data for the purpose of contract initiation or fulfillment of our services and implementation of contractual measures as well as responding to inquiries, the legal basis is Art. 6 (1) lit. b) GDPR. If we process your data to fulfill our legal obligations, this is done on the basis of Art. 6 para. 1 lit. c) GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d) GDPR serves as the legal basis. On the basis of Art. 6 para. 1 lit. f) GDPR, we process data to protect the legitimate interests of the controller or third parties.
Security measures
In accordance with Art. 32 GDPR, we take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the likelihood and severity of the risk to the rights and freedoms of natural persons.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access to, input, transfer, and backup of the data, and ensuring its availability and separation. Furthermore, we have established procedures to ensure that data subjects can exercise their rights, that data is deleted, and that we respond to threats to data. Furthermore, we take the protection of personal data into account during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).
Cooperation with processors and third parties
If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transfer it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if the transfer of data to third parties, such as payment service providers, is necessary for the fulfillment of the contract in accordance with Art. 6 para. 1 lit. b) GDPR), you have given your consent, a legal obligation requires this, or on the basis of our legitimate interests (e.g. when using agents, web hosts, Fathom Analytics, etc.).
If we commission third parties to process data on the basis of a so-called “order processing contract,” this is done on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this will only take place if it is necessary for the fulfillment of our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements of Art. 44 ff. GDPR are met. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a data protection level equivalent to that of the EU (e.g., for the USA through the “Data Privacy Framework”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with Art. 15 GDPR.
In accordance with Art. 16 GDPR, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
In accordance with Art. 17 GDPR, you have the right to request that data concerning you be deleted immediately. Alternatively, in accordance with Art. 18 GDPR, you may request a restriction on the processing of the data.
You have the right to request that the data concerning you that you have provided to us be transferred to another controller in accordance with Art. 20 GDPR.
You also have the right to lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.
We would be happy if you would first contact our data protection team (datenschutz@hyg.de) with your request.
Right of withdrawal
You have the right to withdraw your consent in accordance with Art. 7 (3) GDPR with effect for the future.
Right to object
You may object to the future processing of your data at any time in accordance with Art. 21 GDPR. The objection may be made in particular against processing for direct marketing purposes.
Cookies and tracking
This website does not use cookies that store personal data. Tracking does not take place.
Deletion of data
The data we process will be deleted or restricted in its processing in accordance with Articles 17 and 18 of the GDPR. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons in accordance with the statutory retention period, e.g., under the German Commercial Code (HGB) and the German Fiscal Code (Abgabenordnung).
Contact
When you contact us (e.g. via the contact form, email, telephone or social media), the user's details will be processed for the purpose of processing the contact request and its handling in accordance with Art. 6 para. 1 lit. b) GDPR.
User information may be stored in a customer relationship management system (“CRM system”) or a comparable inquiry organization system.
We delete inquiries once they are no longer required. We review the necessity of storage every two years; furthermore, the statutory archiving obligations apply.
Hosting
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services that we use for the purpose of operating this online offering.
In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties, and visitors to this online offering on the basis of our legitimate interests in the efficient and secure provision of this online offering in accordance with Art. 6 para. 1 lit. f) GDPR. If we use service providers for this purpose, this is done on the basis of a contract processing agreement in accordance with Art. 28 GDPR.
Collection of access data and log files
We, or our hosting provider, collect data about every access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f) GDPR. The access data includes the name of the website accessed, the file accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
Log file information is stored for security reasons (e.g., to investigate misuse or fraud) for a maximum period of 7 days and then deleted. Data that must be retained for further storage for evidence purposes is excluded from deletion until the respective incident has been finally clarified.
Web analysis
We use the web analysis tool Fathom Analytics to count and, above all, to clearly display access to our websites. No cookies are used for this purpose. Fathom is a service provided by Conva Ventures Inc. (BOX 37058 Millstream PO, Victoria, British Columbia, V9B 0E8, Canada). As a private company, the provider of “Fathom” falls under the EU Commission's adequacy decision for Canada, ensuring an adequate level of data protection.
Data processing also takes place exclusively in Europe and in EU data centers through a process known as “EU isolation.” Fathom provides further details here: https://usefathom.com/compliance.
Fathom processes personal data (IP address and user agent) and stores a hash value (pseudo-anonymized data) for 48 hours. The hash value is used, among other things, to recognize returning visitors. Neither we nor Fathom can directly derive any personal references from this data. We have concluded a data processing agreement with Fathom's provider, Conva Ventures Inc, which complies with the requirements of Art. 28 GDPR.
Social media (LinkedIn)
We maintain an online presence on LinkedIn and process user data in this context in order to communicate with users active there or to provide information about us.
In doing so, user data may also be processed outside the EU/EEA. This may result in risks for users, as it could, for example, make it more difficult to enforce their rights.
Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behavior and resulting interests of users. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that are likely to correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data may also be stored in the usage profiles independently of the devices used by users (in particular if users are members of the respective platforms and are logged in to them).
For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the privacy policy and information provided by the provider.
In the event of requests for information and the assertion of data subject rights, we would also like to point out that these can be most effectively asserted with the provider. Only the provider has access to the user data and can take appropriate measures and provide information directly. However, if you require assistance, please contact us.
Types of data processed: Contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Contact requests and communication; feedback (e.g., collection of feedback via online form); marketing.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; standard contractual clauses (guaranteeing the level of data protection when processing in third countries): https://legal.linkedin.com/dpa; Right to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out; Data processing agreement: https://legal.linkedin.com/dpa.
Automated decision-making, including profiling, pursuant to Art. 22 GDPR
We do not process your personal data for automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR. If these are used, we will provide meaningful information about the logic involved, as well as the significance and the intended effects of such processing for the data subject.
Are you obliged to provide your personal data?
There is no legal obligation to provide us with your personal data.
If you fail to provide information or technically prevent us from processing personal data that is necessary for the use of our website, it is possible that you will only be able to use our offer to a limited extent.
The provision of your data when contacting us via our contact form or contacting one of our contact persons is voluntary. However, without the necessary information, in particular a means of contact, we will not be able to process your request.
As of: May 28, 2025
