Data privacy protection
Name and address of the person responsible
The person responsible for the purposes of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states, as well as other data protection regulations, is:
PANDA collaboration - spokesperson
Facility for Antiproton and Ion Research in Europe GmbH (FAIR GmbH)
General information on data processing
1. Scope of the processing of personal data
We are collecting and using personal data of our users in principle only as far as it is necessary to provide a functional website as well as our contents and services. Collection and use of our users’ personal data is carried out regularly only after the users’ approval. There is one exception for such cases where it is impossible to ask the user previously for his approval for factual reasons and where processing the data is allowed by legal stipulations.
2. Legal basis for processing of personal data
As far as we are asking for the consent of the respective person to the processing of personal data, Art. 6 para. 1 lit. a of the EU GDPR serves as legal basis.
With the processing of personal data which are necessary to fulfil a contract where the respective person is a contractual party, Art. 6 para. 1 lit. b GDPR serves as legal basis. This also applies to procedures which are required for carrying out pre-contractual measures.
As far as the processing of personal data is necessary to fulfil a legal obligation which our company is subject to, Art. 6 para. 1 lit. c GDPR serves as legal basis.
In case of vital interests of a person involved or another natural person require processing of the personal data, Art. 6 para. 1 lit. d GDPR serves as legal basis.
If processing of the data is necessary to meet rightful interests of our company or a third party and if the interests, basic rights and fundamental freedoms of the involved person are not affected by the interests mentioned before, Art. 6 para. 1 lit. f GDPR are the legal basis for processing the data.
3. Deleting of data and duration of storage
The personal data of the respective person are deleted or blocked as soon as the purpose of the storage lapses. Moreover, storage can be done when this was stipulated by European or national legislators in Union regulations, laws, or other provisions the person responsible is subject to. Blocking or deleting of the data is also done if a storage period stipulated by the aforementioned standards expires, unless there is a necessity to further store the data for the purpose of concluding a contract or fulfilment of a contract.
Providing the web page and creating log files
1. Description and scope of data processing
With each entering of our web page, our system automatically records data and information from the computer system of the computer where the web page is accessed from. Data are being recorded typically for a webserver as follows:
- date and time of the access
- IP address of the requesting device
- the request protocoll
- requested URL (Uniform Ressource Locator = webpage)
- http status code
- amount of delivered bytes
- referrer where the request has its origin
- session cookies
- processing time for the request
The data are being processed and stored in the log files of our web server. These data are not being stored together with other personal data of the user.
In case of authenticated (=logged in) users, i.e. members of the PANDA collaboration, personal data, which is necessary for the teamwork in the collaboration is stored in a database. Each member can check their data status online by viewing his/her profile.
2. Legal basis for the data processing
Legal basis for temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
3. Purpose of data processing
A temporary storage of the IP address by the system is necessary in order to enable provision of the web page to the computer of the user. For this purpose, it is required to keep the IP address of the user in store for the duration of the session.
Storage in log files is done to ensure functionality of the web page. In addition, the data serve to maintain safety of our information technological systems. There is no evaluation of the data for marketing purposes in this context. These purposes are also our rightful interest in data processing according to Art. 6 para. 1 lit. f GDPR.
4. Duration of storage
Data are deleted as soon as they are no longer necessary to serve the purpose of their collection. In case of the collection of data to provide the web page, this is the case when the respective session has ended. In case of the collection of data in logfiles it is the usual webserver logrotate period of one year. In case of the collaboration membership data, deletion of data will take place as soon as the collaboration is terminated.
5. Possibility of lodging an objection and of elimination
Recording the data in order to provide the web page and storage of data in log files is essential for operating the web page. Therefore, there is no possibility of lodging an appeal/objection by the user.
1. Description and scope of data processing
We are using cookies in order to design our website in a user-friendly way. Several elements of our website require the possibility to identify the entering browser even after having changed the page.
2. Legal basis of data processing
Legal basis of processing personal data using cookies is Art. 6 para. 1 lit. f GDPR.
3. Purpose of data processing
We require cookies for the following applications/functions:
- Entire drupal website (Content Management System) absolutely requires cookies;
- Front end log-in
User data recorded by cookies, which are technically necessary, are not used for the creation of user profiles.
Within these purposes also lies our rightful interest in processing the personal data according to Art. 6 para. 1 lit. f GDPR.
4. Duration of storage, possibility to object or to eliminate
Transmission of flash cookies cannot be prevented by the browser settings but by changing the Flash Player settings.
Rights of the person concerned
In case your personal data is being processed, you are a person concerned according to GDPR and you have the following rights against the responsible:
1. Right of information
You are entitled to demand from the responsible person a confirmation that personal data concerning you are being processed by us. In case there is such data processing, you can demand from the responsible person to reveal the following information:
- The purposes for which personal data are being processed;
- categories of personal data that are being processed;
- the receiver, resp. the categories of receivers, towards whom the personal data concerning you were disclosed or will be disclosed;
- the planned duration of storage of the personal data concerning you or, in case precise information hereto is impossible, criteria for determining the storage period;
- the existence of a right of rectification or elimination of the personal data concerning you, a right of limitation of data processing by the person responsible or a right to object to this data processing;
- the existence of a right to appeal before a supervising authority;
- all information available on the origin of the data in case the personal data are not collected from the person concerned;
- the existence of an automatized decision-making, including profiling according to Art. 22 para. 1 and 4 GDPR and – at least in such cases – explicit information on: the logic involved, as well as the impact and the intended effect on the person concerned, by data processing of such kind.
You have the right to demand information as to whether the personal data concerning you are transmitted to a third country or to an international organization. In this context, you can request to be notified of appropriate safeguards according to Art. 46 GDPR in connection with the transmission.
2. Right of rectification
You have a right of rectification and/or completion against the person responsible, insofar as the processed personal data that are concerning you are incorrect or incomplete. The responsible person has to make the rectification without delay.
3. Right of limitation of the data processing
On the conditions mentioned below, you can require a limitation of processing of the personal data concerning you:
- in case you are denying the correctness of the personal data concerning you for a time period that enables the person responsible to investigate the correctness of the personal data;
- the data processing is unlawful and you are refusing deletion of the personal data and instead demand a limitation of use of the personal data;
- the person responsible does no longer need the personal data for the purpose of processing but, however, you are being in need of them in order to claim, execute or defend legal rights, or
- you have entered an objection to the data processing according to Art. 21 para. 1 GDPR and it is still not certain whether justified reasons of the responsible person are prevailing over your reasons.
In case processing of the personal data concerning you was limited, the data can only be processed – apart from your storage – with your consent or in order to claim, execute or defend legal rights, or to protect the rights of another natural or legal person, or for reasons of an important public interest of the Union or of a member state.
In case the data processing was limited under the conditions mentioned above, you will be notified in advance of removing the limitation.
4. Right of deletion
a) Obligation of deletion
You can demand of the responsible person that the personal data concerning you are to be deleted immediately and the responsible person is obliged to delete the data without delay provided that one of the following causes exists:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or handled otherwise.
- You are revoking your consent on the grounds of which data processing according to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR was done, and there is no other legal basis for data processing.
- You are entering an objection according to Art. 21 para. 1 GDPR to the data processing and there are no predominant justified reasons for processing the data, or you are appealing in accordance with Art. 21 para. 2 GDPR against the data processing.
- The personal data concerning you were handled in an unlawful way.
- Deletion of the personal data concerning you is necessary to fulfil a legal obligation under the Union law or the law of the member states the responsible person is subject to.
- The personal data concerning you were collected relating to services offered by the information society under Art. 8 para. 1 GDPR.
b) Passing information to a third party
In case the person responsible has disclosed the personal data in question to the public and if he is obliged to delete them according to Art. 17 para. 1 GDPR, he takes adequate measures, also of technical nature, taking into account available technology as well as costs for their implementation, in order to inform the persons responsible for personal data processing that you, being the person concerned, have demanded from them the elimination of all links to these personal data or copies or replications of these personal data.
The right of deletion of data does not exist insofar as processing is necessary
- to exercise the right of the freedom of expression and of information;
- to fulfil a legal obligation requiring the data processing under the law of the Union or of the member states the responsible person is subject to, or in order to perform a task carried out in the public interest, or to exercise official authority, the responsible person was entrusted with;
- for reasons of public interest in the field of public health in accordance with Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
- for archiving purposes which are of public interest, scientific or historic research purposes or for statistical purposes according to Ar. 89 para. 1 GDPR, insofar as the right mentioned in section a) is likely to render impossible or to seriously affect achievement of the objectives of this data processing; or
- in order to claim, exercise or defend legal entitlements.
5. Right of information
In case you have claimed the right of information, deletion or limitation of data processing against the person responsible, he is obliged communicate this claim to deletion of the data or limitation of their processing to all recipients to whom the personal data concerning you were disclosed, unless this proves impossible or involves a disproportionate effort.
You are entitled to be informed of these recipients by the person responsible.
6. Right of data portability
You have the right to receive the personal data concerning you, which you have provided the responsible person with before, in a structured, common and machine-readable format. Moreover, you are entitled to transmit these data to another responsible person without hindrance by the responsible person whom you had provided with the personal data if
- processing the data is based on a consent according to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract according to Art. 6 para. 1 lit. b GDPR and
- the data processing is carried out by means of automatized procedures.
Upon exercising this right, you are, in addition, entitled to obtain that the personal data concerning you are transmitted directly from one responsible person to another responsible person, insofar as this technically feasible. Freedoms and rights of other persons must not be adversely affected by this.
The right of portability does not apply to such processing of personal data which is necessary to carry out a task of public interest or in the exercise of official authority the person responsible was entrusted with.
7. Right of objection
You are entitled to enter an objection to the processing of personal data concerning you and collected under Art. 6 para. 1 lit. e or f GDPR, any time, for reasons arising from your particular situation; this also applies to a profiling based on these regulations.
The person responsible does no longer process the respective personal data unless he can prove compelling and legitimate reasons for the data processing which are outweighing your interests, rights and freedoms, or the data processing serves to claim, exercise or defend legal rights.
In case the personal data concerning you are being processed in order to carry out direct advertising, you are entitled to enter an objection against the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling as far as it is referring to such direct advertising.
If you are entering an objection to the data processing for the purpose of direct advertising, the personal data concerning you are no longer being processed for this purpose. You have the opportunity to exercise your right of objection, in the context of the use of services of the information company, by means of automatized procedures where technical specifications are being used - notwithstanding the directive 2002/58/EG.
8. Right to revoke the declaration of consent under data protection law
You have the right to revoke your given consent under data protection law at any time. By revoking the declaration of consent, legality of the data processing done on the basis of the given consent before revoking it remains unaffected.
9. Automatized decision in individual cases, including profiling
You are entitled not to be subjected to a decision which is based only on an automatized processing – including profiling, which has a legal effect against you or considerably affects you in similar ways.
This does not apply if the decision
- is necessary in order to conclude or to fulfil a contract between you and the person responsible;
- is justified based on legal regulations of the Union or of the member states the responsible person is subject to, and these legal regulations contain adequate measures for preservation of their rights and freedoms as well as rightful interests or
- is made with your express consent.
However, these decisions must not be based on special categories of personal data under Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies, and adequate measures for protection of rights and freedoms as well as their justified interests, where taken.
Regarding the cases mentioned in 1. and 3., the person responsible takes adequate measures in order to safeguard rights and freedoms as well as legitimate interests, which involves at least the right to obtain intervention of a person on the part of the responsible person, the right to make his own views known, and of legal challenge of the decision.
10. Right to appeal with a supervising authority
Notwithstanding another administrative or judicial legal remedy, you are entitled to file a complaint with a supervising authority, particularly in the member state of your residence, your place of work, or the place of the alleged infringement, if you are taking the view that the processing of your personal data concerning you is infringing the GDPR.
The supervising authority the complaint was filed with notifies the complainant about the status and the outcomes of the complaint, including the possibility of a judicial remedy pursuant Art. 78 GDPR.