top of page

Privacy Policy

I. Name and Address of the Controller

 

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

German Cancer Research Center
c/o EDY diagnostics
Im Neuenheimer Feld 280
69120 Heidelberg
Germany

Phone: +49 (0)6221 420
Email: kontakt[at]dkfz.de

 

II: Name and Address of the Data Protection Officer

The Data Protection Officer of the controller is:

Data Protection Officer
German Cancer Research Center – Foundation under Public Law
Im Neuenheimer Feld 280
69120 Heidelberg
Germany

Phone: +49 (0)6221 420
Email: datenschutz[at]dkfz.de

 

III. General Information on Data Processing

1. Scope of Processing of Personal Data

We process personal data of our users only to the extent necessary to provide a functional website and our content and services. As a rule, personal data of our users is processed only with the user's consent. An exception applies in cases where obtaining prior consent is not possible for factual reasons and the processing of data is permitted by law.

When visiting this website, your browsing behaviour may be statistically analysed. This is done primarily using so-called analysis programs. Detailed information about these analysis programs can be found in this Privacy Policy.

We point out that data transmission over the Internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

2. Legal Basis for the Processing of Personal Data

 

Where we obtain the consent of the data subject for processing operations involving personal data, Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for the performance of pre-contractual measures.

Where processing of personal data is necessary for compliance with a legal obligation to which our organisation is subject, Art. 6(1)(c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6(1)(d) GDPR serves as the legal basis.

Where processing is necessary for the purposes of a legitimate interest pursued by our organisation or a third party, and where the interests, fundamental rights and freedoms of the data subject do not override that interest, Art. 6(1)(f) GDPR serves as the legal basis for processing.

In the event of explicit consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49(1)(a) GDPR. Where you have consented to the storage of cookies or access to information on your end device (e.g. via device fingerprinting), data processing is additionally based on § 25(1) TTDSG.

 

3. Data Deletion and Storage Duration

 

Personal data of the data subject will be deleted or blocked as soon as the purpose for storage no longer applies. Storage beyond this point may occur if provided for by European or national legislation in EU regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the purposes of concluding or performing a contract.

 

IV. Provision of the Website and Creation of Log Files

 

1. Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.

The following data is collected:

  1. Information about the browser type and version used

  2. The user's operating system

  3. The user's IP address (anonymised/truncated)

  4. Date and time of access

  5. Websites from which the user's system reaches our website (referrer URL)

  6. Pages accessed and time spent on the website

The data is also stored in log files of our system. This data is not stored together with other personal data of the user.

This website is hosted externally by Wix.com Ltd., 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel. Personal data collected on this website is stored on the host's servers. This may include in particular IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.

 

2. Legal Basis for Data Processing

 

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast and efficient provision of our online services by a professional provider (Art. 6(1)(f) GDPR). Where appropriate consent has been obtained, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent may be withdrawn at any time.

 

3. Purpose of Data Processing

 

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's device. For this purpose, the user's IP address must be stored for the duration of the session. The storage in log files serves to ensure the functionality of the website. The data also serves to technically optimise the website and to ensure the security of our information technology systems. The legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR also lies in these purposes.

 

4. Data Transfer to Third Countries

 

Wix servers are located in the USA. Data transfer to the USA is carried out on the basis of the EU Commission's standard contractual clauses pursuant to Art. 46 GDPR. Wix.com Ltd. is also certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection for data transfers to the USA.

 

5. Data Processing Agreement

 

We have concluded a Data Processing Agreement (DPA) with Wix.com Ltd. This is a contract required under data protection law which ensures that Wix processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

 

6. Storage Duration

 

Data is deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collected for the purpose of providing the website, this is the case when the respective session has ended. In the case of data stored in log files, this occurs after no more than seven days. Storage beyond this point is possible; in this case, the IP addresses of the users are deleted or anonymised so that the accessing client can no longer be identified.

 

7. Right to Object and Removal

 

The collection of data for the provision of the website and the storage of data in log files is strictly necessary for the operation of the website. Consequently, there is no right of objection for the user.

 

V. Use of Cookies

 

1. Description and Scope of Data Processing

 

Our website uses cookies. Cookies are text files that are stored in or by the internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is accessed again.

This website uses cookies from Wix to ensure the functionality of the website and to improve the user experience. Wix sets both necessary and optional cookies. The following data is stored and transmitted in the cookies:

  1. Session cookies for managing the user session

  2. Functional cookies for website features

  3. Performance cookies for performance optimisation (with consent only)

We also use cookies on our website that allow analysis of users' browsing behaviour. When accessing our website, users are informed about the use of cookies for analysis purposes and their consent to the processing of personal data used in this context is obtained. Reference is also made to this Privacy Policy in this regard.

Consent Management Platform (Usercentrics for Wix)

This website uses Usercentrics for Wix (formerly Cookiebot for Wix), a Consent Management Platform (CMP) provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.

Usercentrics for Wix enables us to obtain, manage and document your consent for the use of cookies and other tracking technologies. The platform automatically scans our website for cookies and trackers in use and presents these to you in a consent banner.

Categories of data processed by Usercentrics:

  • Your consent decisions (which cookie categories you have accepted or rejected)

  • Timestamp of your consent

  • Consent ID (unique identifier of your consent decision)

  • IP address (anonymised)

  • Browser user-agent

  • URL of the visited website

You can change your consent settings at any time by reopening the cookie banner or accessing the cookie settings via the corresponding link at the bottom of this website.

Further information can be found in the Usercentrics Privacy Policy: https://usercentrics.com/privacy-policy/

 

2. Legal Basis for Data Processing

 

The legal basis for the processing of personal data using technically necessary cookies is Art. 6(1)(f) GDPR.

The legal basis for the processing of personal data using cookies for analysis purposes, where the user has given their consent, is Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent may be withdrawn at any time.

Processing by Usercentrics is carried out on the basis of Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest in the legally compliant documentation of consents).

 

3. Purpose of Data Processing

 

The purpose of using technically necessary cookies is to enable users to use the website. Some features of our website cannot be offered without the use of cookies. It is necessary for these features that the browser is recognised after a page change. Personal data collected by technically necessary cookies are not used to create user profiles.

The use of analysis cookies serves the purpose of improving the quality of our website and its content. Usercentrics for Wix is used to obtain the legally required consent for the use of cookies and to document this in a data protection-compliant manner. This serves to fulfil our legal obligations under the GDPR and TTDSG.

 

4. Storage Duration

 

Session cookies are automatically deleted when your visit ends. Persistent cookies remain stored on your end device until you delete them yourself or your web browser automatically deletes them. Your consent data (Usercentrics) is stored for 12 months. After this period expires, you will be asked for your consent again.

Consent data is stored on Google Cloud Platform servers in Germany and Belgium.

 

5. Data Processing Agreement

 

We have concluded a Data Processing Agreement (DPA) with Usercentrics pursuant to Art. 28 GDPR.

 

6. Right to Object and Removal

 

Cookies are stored on the user's device and transmitted from there to our website. As a user, you therefore have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the storage of cookies. Cookies that have already been stored can be deleted at any time. If cookies for our website are disabled, it may no longer be possible to use all features of the website to their full extent.

 

VI. Contact Form and Email Contact

 

1. Description and Scope of Data Processing

 

A contact form is available on our website that can be used for electronic contact. If a user makes use of this option, the data entered in the input form is transmitted to us and stored. We use Wix Forms, a service provided by Wix.com Ltd., for the contact forms on this website. Data entered via the form is stored on Wix's servers and forwarded to us.

At the time of sending the message, the following additional data is also stored:

  1. The user's IP address

  2. Date and time of the submission

Alternatively, contact can be made via the provided email address or by telephone. In this case, the user's personal data transmitted with the email or call (name, enquiry) will be stored. No data is passed on to third parties in this context. Data is used exclusively for processing the conversation.

 

2. Legal Basis for Data Processing

 

The processing of this data is carried out on the basis of Art. 6(1)(b) GDPR if your enquiry relates to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in effectively handling enquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) where this has been obtained; consent may be withdrawn at any time.

 

3. Purpose of Data Processing

 

The processing of personal data from the input form serves us solely to handle the contact. In the case of contact by email, this also constitutes the necessary legitimate interest in processing the data.

Other personal data processed during the submission process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

 

4. Storage Duration

 

The data you enter in the contact form will remain with us until you request deletion, withdraw your consent to storage, or the purpose for data storage no longer applies (e.g. after your enquiry has been fully processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

 

5. Right to Object and Removal

 

The user has the right to withdraw their consent to the processing of personal data at any time. If the user contacts us by email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. All personal data stored in the course of making contact will be deleted in this case.

 

VII. Blog (Wix Blogs)

 

1.Description and Scope of Data Processing

 

This website uses the blog feature of Wix (Wix Blogs), a service provided by Wix.com Ltd. Wix Blogs allows us to publish and manage blog posts. When you visit our blog pages or leave comments, the following data is processed:

When only reading blog posts:

  • IP address (anonymised)

  • Browser information

  • Date and time of access

  • Pages accessed

When using the comment function (if activated):

  • Name (required)

  • Email address (required)

  • Website (optional)

  • Comment text

  • Timestamp

  • IP address

 

2. Legal Basis for Data Processing

 

Processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in providing an information service). If you leave a comment, processing is carried out on the basis of Art. 6(1)(a) GDPR (your consent through the active act of commenting) or Art. 6(1)(b) GDPR, if the comment function is part of a contractual relationship.

 

3. Purpose of Data Processing

 

Processing serves to provide a publicly accessible information service and – where the comment function is active – to enable interaction with our content.

 

4. Data Transfer to Third Countries

 

Data collected via Wix Blogs is stored on Wix servers in the USA. Data transfer is carried out on the basis of the EU Commission's standard contractual clauses and the EU-US Data Privacy Framework.

 

5. Storage Duration

 

Your comment data is stored until you request deletion or the purpose for data storage no longer applies (e.g. in the case of spam or unlawful content). Mandatory statutory retention periods remain unaffected.

 

6. Data Processing Agreement

Data processing by Wix Blogs is carried out within the framework of our existing Data Processing Agreement (DPA) with Wix.com Ltd.

VIII. Web Analytics (Wix Analytics)

 

1. Scope of Processing of Personal Data

 

This website uses Wix Analytics, a web analytics service provided by Wix.com Ltd. Wix Analytics enables us to analyse the use of our website. When individual pages of our website are accessed, the following data is stored:

  1. IP addresses (truncated/anonymised)

  2. Browser information

  3. Device information

  4. Page views and click behaviour

  5. Referrer URL

  6. Time spent on the website

 

2. Legal Basis for the Processing of Personal Data

 

The use of this analytics tool is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its web offering and its advertising. Where appropriate consent has been obtained, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent may be withdrawn at any time.

 

3. Purpose of Data Processing

 

The processing of users' personal data enables us to analyse the browsing behaviour of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continually improve our website and its user-friendliness. The legitimate interest in the processing of data pursuant to Art. 6(1)(f) GDPR also lies in these purposes.

 

4. IP Anonymisation

 

Wix Analytics uses IP anonymisation. Your IP address is truncated prior to analysis so that it can no longer be uniquely attributed to you.

 

5. Data Transfer to Third Countries

 

Wix also processes data on servers in the USA. Data transfer is carried out on the basis of the EU Commission's standard contractual clauses and the EU-US Data Privacy Framework.

 

6. Storage Duration

 

Data is deleted as soon as it is no longer required for our analysis purposes.

7. Right to Object and Removal

Cookies are stored on the user's device and transmitted from there to our website. As a user, you therefore have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the storage of cookies. Cookies that have already been stored can be deleted at any time.

 

8. Data Processing Agreement

 

We have concluded a Data Processing Agreement (DPA) with Wix. This is a contract required under data protection law which ensures that Wix processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

 

9. Rights of the Data Subject

 

Where personal data concerning you is processed, you are a data subject within the meaning of the GDPR, and you have the following rights against the controller:

 

10. Right of Access

 

You may request confirmation from the controller as to whether personal data concerning you is being processed by us. Where such processing takes place, you may request information about the purposes of processing, the categories of personal data concerned, recipients, the intended storage period, the origin of the data, and the existence of a right to rectification, erasure or restriction of processing. You have the right at any time to receive free information about the origin, recipient and purpose of your stored personal data.

 

11. Right to Rectification

 

You have the right to obtain from the controller the rectification and/or completion of personal data concerning you that is inaccurate or incomplete. The controller must carry out the rectification without undue delay.

 

12. Right to Restriction of Processing

You have the right to request restriction of the processing of your personal data. You may contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

  1. If you contest the accuracy of your personal data stored with us, we generally need time to verify this. For the duration of the verification, you have the right to request restriction of processing of your personal data.

  2. If the processing of your personal data was/is unlawful, you may request restriction of data processing instead of erasure.

  3. If we no longer need your personal data, but you need it for the establishment, exercise or defence of legal claims, you have the right to request restriction of the processing of your personal data instead of erasure.

  4. If you have lodged an objection pursuant to Art. 21(1) GDPR, a balancing of your interests and ours must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request restriction of the processing of your personal data.

Where processing of your personal data has been restricted, that data may – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.

 

13. Right to Erasure

 

You may request the controller to erase the personal data concerning you without undue delay, provided one of the legally prescribed grounds applies (e.g. if the data is no longer necessary for the purposes for which it was collected or you withdraw your consent). The right to erasure does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.

 

14. Right to Notification

 

Where you have exercised the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right against the controller to be informed about these recipients.

 

15. Right to Data Portability

You have the right to receive personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit that data to another controller, where technically feasible.

 

16. Right to Object

 

YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO PROCESSING OF PERSONAL DATA

CONCERNING YOU WHICH IS BASED ON ART. 6(1)(E) OR (F) GDPR; THIS ALSO APPLIES TO PROFILING BASED ON THOSE PROVISIONS. THE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING IS FOR THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

WHERE YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING OF PERSONAL DATA CONCERNING YOU FOR SUCH MARKETING; THIS APPLIES ALSO TO PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

 

17. Right to Withdraw Consent

 

Many data processing operations are only possible with your explicit consent. You may withdraw consent that you have already given at any time. The lawfulness of data processing carried out prior to the withdrawal remains unaffected by the withdrawal.

 

18. Right to Lodge a Complaint with a Supervisory Authority

 

In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

 

19. Note on SSL/TLS Encryption

 

This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content, such as enquiries you send to us as the website operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser bar. When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

 

20. Note on Data Transfer to Third Countries Not Considered Safe Under Data Protection Law

 

We use tools from companies based in third countries that are not considered safe under data protection law, as well as US-based tools whose providers are not certified under the EU-US Data Privacy Framework (DPF). Where these tools are active, your personal data may be transferred to and processed in these countries. We draw your attention to the fact that an equivalent level of data protection to that guaranteed in the EU cannot be assured in third countries not considered safe under data protection law.

We point out that the USA, as a designated safe third country, generally offers a level of data protection comparable to that of the EU. A data transfer to the USA is therefore permissible where the recipient holds certification under the "EU-US Data Privacy Framework" (DPF) or has other appropriate safeguards in place. Information on transfers to third countries, including the relevant data recipients, can be found in this Privacy Policy.

Last updated: March 2026

Contact Us

Imprint

Data Privacy

© 2026 EDY diagnostics

bottom of page