DKMS Registry gGmbH („DKMS Registry“) respects your privacy and is committed to protecting your personal data. This privacy policy has been written to provide you with an overview of how we collect, store, process, and share your personal data and how you can exercise your privacy rights.

This privacy policy applies whenever you share personal identifiable information with DKMS Registry using one of the following channels regardless from where you access the services:

• Our website www.donornavigator.org
• Our website new.hapesearch.org
• By e-mail, fax, letters (mail), phone or in personal communication
• Using social media services to contact DKMS Registry’s organizational representation (e.g. LinkedIn)

Personal data means any information relating to an identified or identifiable natural person, including your IP address, name, address, e-mail data and user behavior.

Please read this privacy policy in full to ensure you are completely informed about the use of your personal data.

When processing your personal data, we adhere to the data protection specifications of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (German: Bundesdatenschutzgesetz (BDSG)) in its current valid version.

When you access our content on www.dkmsregistry.org hosted by DKMS Group gGmbH as part of professional.dkms.org, please refer to the privacy policy on this site for details about the technical functionalities and data use by this website (https://professional.dkms.org/privacy-policy).

This is version number 2.0.

The privacy policy gives you information on how DKMS Registry processes your personal data:

• through your use of this website, including any personal data you may provide through this website or when you provide feedback to us;
• when you interact with us over LinkedIn (in this regard please take a look at the provider's privacy policy), by e-mail, by contact form, by telephone, mail or in person.

3.1. The controller (Art. 4 para. 7 GDPR) is DKMS Registry gGmbH having its seat at Kressbach 1, 72072 Tübingen, Germany.
3.2. You can reach our data protection officer (“DPO”) who is responsible for overseeing questions in relation to this privacy policy using the e-mail address dataprotection@dkmsregistry.org or by writing to our postal address.

4.1. Purely informational use: If you wish to view our website purely for informational use, we process the following data which is technically necessary in order to display our website to you as well as to ensure stability and security of display:

• IP address
• Time and date of the inquiry
• Content of the request (specific page)
• HTTP status code

The IP address is the globally valid, unique identifier of a computer or provider. As a private user, you will generally not use a consistent IP address since these are assigned on a temporary basis by your provider for one session. However, in principle, it is possible to uniquely allocate user data via this attribute using static IP addresses. Our servers save IP addresses for a maximum of three weeks. Afterwards the access data is deleted.
All other data described above is recorded cumulatively for all users of the website, meaning that it is not possible to assign the data to a specific person. This data is not merged with data from other data sources.

4.2. Use of our web-applications Donor Navigator or Hap-E Search by logging in with your credentials: When you have been authorized to use our web-applications and have registered for a user account, DKMS Registry processes your user data as well as data you provide within the application itself. Data processing when using Donor Navigator or Hap-E Search is covered in the Terms of Use that will be displayed after first login into the software and whenever an update occurs. Please read these terms of use carefully to understand your obligations and rights concerning the data entered, processed, stored and shared on your behalf when using these services of DKMS Registry.

4.3. Contact via LinkedIn, e-mail, contact form on our website or by phone or personal communication: If you contact us via one of these channels, we will additionally process and save the personal data that you have provided (e.g. your e-mail address and, possibly, your name and phone number) in order to answer your questions. This personal data can be saved in our e-mailing system or other systems, like for example, a customer relationship management system (CRM system) or some comparable system if there is a legal basis in doing so in the specific case. Please note that retention periods may apply to the data you provided.

5.1. We only process your personal data to the extent that is necessary in order to provide a working website and to provide our content and services. Personal data is only processed on a regular basis where this is permitted by statutory provisions or where the person concerned has provided the data to DKMS Registry as part of a request or has given consent. The legal basis for processing is Art. 6 para. 1 (b) GDPR or Art. 6 para. 1 (f) GDPR.

5.2. When you contact us by any communication channel, your personal data will only be processed for the purpose of answering your request. The legal basis for processing is Art. 6 para. 1 (f) GDPR.

6.1. In addition to the data specified above, we use cookies to make our website available to you. Cookies are small text files that are saved on your hard disk, assigned to the browser that you use, and which supply certain information (see below for details) to the party that set the cookie (in this case to us). Cookies cannot execute any programs or transfer viruses to your computer. They have the purpose of making the website as a whole more user-friendly and more effective.

6.2. All of these cookies are necessary for the proper function of our website. We do not set cookies for analytics or statistical reasons. The legal basis for processing here is Art. 6 para. 1 lit. (f) of the GDPR.

6.3. You can configure your browser setting in accordance with your wishes and, for example, reject the acceptance of third-party cookies or even all cookies. Moreover, by selecting appropriate settings in your internet browser, you can prevent or restrict the installation of cookies. At the same time, cookies that have already been saved can be deleted at any time. However, the steps and measures that are necessary to do so depend on the specific internet browser that you use. If you have any questions, therefore, please refer to the help function or documentation for your internet browser or contact the corresponding manufacturer or support. Please note that you may not be able to use all the functions of this website if you reject cookies.

6.4. Our website uses cookies to store session IDs. These are used to establish a personal session when you use our web-applications via the website with the correct configuration. Further we use technical cookies that enable a correct navigation within our web-applications Donor Navigator and Hap-E Search after login. Our websites use the following types of cookies:



6.5. We also use HTML5 storage objects, which are stored on your device. These objects save the required data depending on the browser you use and do not have an automatic expiry date. We recommend regularly deleting your cookies and browser history manually. In most standard browsers, you can also ensure the automatic deletion of HTML5 storage objects at the end of your browser session by setting your browser to private mode.

7.1. You may only use our websites to retrieve information provided therein, to log into the web-application you have registered for or to contact us. Our website uses https encryption protocols. Whenever you transmit data to us, e.g. via the contact form, we use TLS 1.2 or higher encrypted transmission and always save your data on specially protected servers. Access to personal data is restricted to persons authorized by DKMS Registry to process this data, all of whom are familiar with the relevant data protection regulations, trained and compelled to comply with them.

7.2. As explained before, in case you contact us via one of the channels described in chapter 1, we will use the personal data provided to respond to your request.

7.3. Personal data received in this way will be stored and processed electronically within our secured and access-restricted infrastructure and will be made available to authorized persons only. DKMS Registry maintains a records of processing registry as required by EU-GDPR.

Only our authorized employees have access to your personal data. In addition, where this is prescribed or permitted by law, we share your personal data with agents and contractors who provide services for us. The reason for this is that, in order to fulfill our tasks, we need to work together with service providers, who may also have to process personal data for this purpose. We restrict the forwarding of your personal data to what is really necessary. The service providers have been carefully selected and commissioned by us, are bound by our instructions and are monitored on a regular basis. They are bound by a contract with DKMS Registry to ensure that any personal data that they receive in this context is used only for the allowed purpose. We assure you that we do not sell or rent your data to any other companies or organizations. We will under no circumstances use your e-mail address or other data without your agreement for any other purposes for which you have not given your consent.

If any of our processing activities require your personal data to be transferred outside Germany / the European Union, we will only make that transfer if:

• we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient;
• the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a requested services between us and you; or
• you explicitly consent to the transfer.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents and contractors who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach that we become aware of where we are legally required to do so.

10.1. Users registered with one of our web-applications Donor Navigator or Hap-E Search will receive notifications and e-mails from DKMS Registry that are related to our services. User notifications are recommended to ensure donor searches without delays and thus switched on when you first access the application. Optional user notifications can be switched off in your user settings. The Terms of Use of the application you use apply in this context.

10.2. Visitors of our website will never be contacted by DKMS Registry unless they have solicited the communication by using our contact.

11.1. We will only save any personal data that you have transmitted or provided until the purpose for doing so has been fulfilled, until you revoke your consent, until you object to the data being processed or until you request the deletion of your data.

11.2. If you use the website for purely informational purposes, we will save your data only temporarily as explained in chapter 4.

11.3. If you contact us by email or another contact channel, we will delete or anonymize any data recorded in this context once it is no longer necessary to save the data or will restrict processing if any data retention obligations apply. We check necessity on a regular basis.

12.1. You have the following rights with regard to your personal data that we process:

Your right	What does it mean?	Limitations and conditions of your right
Right of access (Art. 15 GDPR)	Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).	If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of our staff.
Right to rectification (Art. 16 GDPR)	You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date.	This right only applies to your own personal data. When exercising this right, please be as specific as possible.
Right to erasure (Art. 17 GDPR)	Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.	We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims. Please be aware that retention periods may apply, during which we archive your data before final deletion or four personal data.
Right to restriction of processing (Art. 18 GDPR)	Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.	As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests. We may not be able to fulfill certain services when restrictions apply.
Right to data portability (Art. 20 GDPR)	Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.	If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.

12.2. Information regarding your right of objection (Art. 21 GDPR)

You have the right to file an objection at any time against the processing of your data that takes place based on Art. 6 para. 1 (f) of the GDPR (data processing on the basis of the balancing of interests) or Art. 6 para. 1 (e) of the GDPR (data processing in the public interest) if there are grounds to do so as a result of your situation. This also applies to any profiling based on these regulations within the meaning of Art. 4 para. 4 of the GDPR.

If you file an objection, we will no longer process your personal data unless we are able to provide evidence of compelling and legitimate grounds for the processing that outweigh your interests, rights and liberties or the processing serves to assert, exercise or defend legal claims.

12.3. If you have given your consent for us to process your personal data, you can revoke this at any time. Once you have pronounced such a revocation to us, this affects the permissibility of processing your personal data. It is possible here to restrict the revocation of consent to process your personal data to specific purposes such as a newsletter (restriction of processing).

12.4. If you wish to exercise your rights described above, please submit your request to: DKMS Registry gGmbH, Kressbach 1, 72072 Tübingen, Germany or by e-mail to: dataprotection@dkmsregistry.org.

12.5. You also have the right to lodge a complaint with a data protection supervisory authority about the way in which we process your personal data. The responsible supervisory authority for DKMS Registry gGmbH is the “Landesbeauftragte für den Datenschutz und Informationsfreiheit Baden-Württemberg”. Phone: +49 711 61 55 41, Fax: +49 711 61 55 41, E-Mail: poststelle@lfdi.bwl.de.

If you have any questions regarding our privacy policy please contact our data protection officer at dataprotection@dkmsregistry.org.