Data Protection

We, the Hertie Institute for Artificial Intelligence in Brain Health (hereinafter “Hertie AI”), Hertie Institute for AI in Brain Health, Medizinische Fakultät Universität Tübingen, Ottfried-Müller-Straße 25, 72072 Tübingen, Germany herewith inform you about the processing of personal data for which we are responsible in the sense of the EU General Data Protection Regulation (GDPR).

You can reach our data protection officer by sending an e-mail to or by sending a letter to Data Protection Officer, Geschwister-Scholl-Platz, 72074 Tübingen.

Below we have compiled the most important information on typical data processing for you, broken down by groups of data subjects. For certain data processing operations, which only concern specific groups, the information requirements are fulfilled separately.

1. Website Visitors

1.1 Server log data

When using the website, certain information is sent to the server of our website by the browser used on your device for technical reasons. This data is stored and processed on our server.

1. We process the following data for the purpose of providing the contents of the website that you have visited, to ensure the security of the IT infrastructure used, to correct errors, to enable and simplify searches on the website and to manage cookies. A change of the purpose is not planned.
2. The data processed is HTTP data: HTTP data is protocol data that is generated for technical reasons when the Website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g. when requesting third-party content).
3. The legal basis for the processing is our legitimate interest in the operation of an internet presence and the communication with communication partners in accordance with Article 6 (1) (f) GDPR.
4. The data is automatically transmitted by the browser of the website visitor.
5. Recipients of the personal data are IT service providers which we use as processors within the framework of a data processing agreement.
6. IP addresses are anonymized after 24 hours at the latest. Pseudonymous usage data is deleted after six months.
7. Without disclosure of personal data such as the IP address, the use of the website is not possible. Communication via the website without disclosure of data is technically not possible.
    

1.2 Required Cookies – Google Tag Manager

We use cookies on our website. Cookies are small text files containing information that can be stored on the user's device via the browser when visiting a website. The information stored in cookies can be read out and processed when the website is visited again using the same device. In doing so, we use processing and storage functions of the browser of your device and collect information from the storage of the browser of your device.
In the structure of our privacy policy, we differentiate between „Required Cookies“, „Statistical Cookies“, „Marketing Cookies“ and „Third-Party Multi- and Social Media Content“. Cookies that are required for the functioning of the website, so called „Required Cookies“, cannot be deactivated via the cookie management function of this website. You can generally deactivate cookies at any time in your browser. Different browsers offer different ways to configure the cookie settings in the browser. However, we would like to point out that some functions of the website may not function or no longer function properly if you generally deactivate cookies in your browser.

We use the Google Tag Manager on our website. The Google Tag Manager enables us to manage cookies and control their placement. This enables us to implement, for example, your consent, a revocation of consent or an opt-out. The Google Tag Manager does not set its own cookies and does not process data stored in cookies.

1. The purpose of the data processing is to control the placement of cookies on our website and to ensure the security of the application. A change of purpose is not planned.
2. The processed data is HTTP data: HTTP data is protocol data that is generated for technical reasons when the Website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g. when requesting third-party content). Your IP address is automatically anonymized during processing.
3. The legal basis for the processing is our legitimate interest in the simple and reliable control of cookies in accordance with Article 6 (1) (f) GDPR.
4. The data is automatically transmitted by the browser of the user.
5. The recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, which we use as processor within the framework of a data processing agreement.
6. IP addresses will be anonymized after 24 hours at the latest. Pseudonymous usage data will be deleted after six months.
7. Without disclosure of personal data the use of the website is not possible. Communication via the website without disclosure of data is technically not possible.

1.3 Statistical Cookies – Google Analytics

We use cookies on our website. Cookies are small text files containing information that can be stored on the user's device via the browser when visiting a website. The information stored in cookies can be read out and processed when the website is visited again using the same device. In doing so, we use processing and storage functions of the browser of your device and collect information from the storage of the browser of your device. 
In the structure of our privacy policy, we differentiate between „Required Cookies“, „Statistical Cookies“, „Marketing Cookies“ and „Third-Party Multi- and Social Media Content“. Depending on their function and purpose, the use of certain cookies may require the user's consent. Your consent is given through a so-called "Cookie Banner": When you visit our website, we display our cookie banner. In our cookie banner you can declare your consent to the use of all cookies requiring consent on this website by clicking on the "Select all" button. Without such consent, the cookies requiring consent are not activated. By setting the individual sliders, you can also make sophisticated settings with regard to the individual cookies or completely reject all cookies requiring consent and then click on the corresponding button to "Submit Preferences". We store your settings in the form of a cookie. Alternatively, you have the possibility to access our cookie banner by clicking on the "Change Cookie Preferences" button. In the cookie board, you can make an individual selection of cookies and customize them at a later time. We store your cookie settings in the form of a cookie on your device in order to determine whether you have already made cookie settings the next time you visit the website.

If you have given your consent, we use the web analysis tool Google Analytics on our website. With the help of Google Analytics, we can analyze the user behaviour of visitors to our website in pseudonymized and anonymised form. 
You can deactivate the data processing by Google Analytics at any time in our cookie banner. Alternatively, you can install a browser plug-in from Google which prevents data collection by Google Analytics: tools.google.com/dlpage/gaoptout;

1. The purpose of data processing is to analyze user behavior on our website. A change of purpose is not planned.
2. The processed data are:
   • Google Analytics HTTP data: 
     This is protocol data that is generated for technical reasons when using the web analysis tool Google Analytics via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
   • Google Analytics device data:  
     Data generated by the web analysis tool Google Analytics and assigned to your device: This includes a unique ID for the (re-)recognition of returning visitors (so-called "client ID") as well as certain technical parameters for controlling data collection for web analysis.
   • Google Analytics measurement data: 
     Device-related raw data (so-called "dimensions" and " measurement results"), which are collected and analyzed by the web analysis tool Google Analytics when using our website: This includes, above all, information about the sources through which visitors reach our website, information about the location, the browser and the device used, information about the use of the website (in particular page views, frequency of visits and length of stay on accessed pages) as well as information about the fulfilment of certain purposes (in particular transactions in the online shop). The data is assigned to the client ID assigned to your device. As a result, device-related usage profiles are created in which all device-related raw data is combined into a client ID. The data that we collect using Google Analytics does not enable us to identify you personally (i.e. by your civil name). We also do not merge the device-related raw data and the resulting device-related usage profiles with data that directly identifies you personally without your consent.
   • Google Analytics report data: 
     Data contained in aggregated segment and device-related reports generated by the Google Analytics web analysis tool based on the analysis of device-related raw data.
3. The legal basis for the processing is your consent in accordance with Article 6 (1) (a) GDPR.
4. The data is automatically transmitted by the browser of the user. 
5. The recipient of the data is Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) which we use as processor within the framework of a data processing agreement. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. The basis for data processing in the USA is your consent granted through the cookie banner in accordance with Article 49 (1) (a) GDPR. In the USA, there is no level of data protection comparable to the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. An enforcement of your rights is probably not possible in the USA. You can withdraw your given consent at any time with effect for the future through the cookie banner. 
6. The data will be deleted after 6 months. 
7. The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Google Analytics.

1.4 Third-Party Multi- and Social Media Content 

We integrate multimedia content and content from social media platforms into our website if you have given your consent to this via our cookie banner.

1. Youtube Embedding (Privacy Enhanced Mode)
   By enabling the corresponding slider in the cookie banner for "Youtube" in the category "Third-Party Multi- and Social Media Content" to play the content of Youtube, you agree that we allow Google as the provider of the Youtube service to collect data for its own purposes. The collection and processing of this data is the sole responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. 
   
   We include videos into our website that are stored on YouTube. With this embedding, content of YouTube is displayed in parts of a browser window. However, the YouTube videos are only accessed by clicking on them separately. The embedding of YouTube content is carried out in the so-called "Privacy Enhanced Mode". This is provided by Google as the provider of YouTube and thus ensures that no data is transmitted to Google and no cookies are stored on your device before a click to play the video. 
   As soon as you enable the corresponding slider in the cookie banner, the video is loaded from Youtube. Technically, the same thing happens then as would happen if you clicked a link to go to the YouTube website: YouTube receives all information that your browser automatically transmits (including your IP address). YouTube also sets its own cookies on your device. This also happens if you do not have a YouTube user account. If you are logged in at YouTube or Google, your data will be associated directly with your account. If you do not want the association to your YouTube or Google user account, you must log out of YouTube and Google before clicking on the corresponding slider in the cookie banner. 
   We have no knowledge of further details of the processing of personal data in the area of data controllership of Google or a data processing in the USA. Hertie AI has no influence on the data processing of Google. 
   For information about the processing of personal data by Google, please refer to the Google Privacy Policy: https://policies.google.com/privacy?hl=en;
2. Twitter
   By enabling the corresponding slider in the cookie banner for „Twitter contents“ in the category "Third-Party Multi- and Social Media Content" to view Twitter contents, you agree that we allow Twitter to collect data for its own purposes. We do this by embedding content stored on Twitter into our website. With this embedding, content from the Twitter website is displayed in parts of a browser window. Before enabling the corresponding sliders in the cookie banner, no data is transmitted to Twitter and no cookies are stored on your device. 
   
   As soon as you enable the corresponding slider in the cookie banner to view the Twitter content, the content is loaded from Twitter. Technically, the same thing happens then as would happen if you clicked a link to go to the Twitter website: Twitter receives all information that your browser automatically transfers (including your IP address). Twitter also sets its own cookies on your device. This also happens if you do not have a Twitter user account. If you are logged in to Twitter, your data will be associated directly with your account. If you do not want the association to your Twitter user account, you must log out of Twitter before activating Twitter content. 
   The collection and processing of this data is the sole responsibility of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. We have no knowledge of further details of the processing of personal data in the area of data controllership of Twitter or a data processing in the USA. Hertie AI has no influence on the data processing of Twitter.
   For information about the processing of personal data by Twitter, please refer to the Twitter Privacy Policy: https://twitter.com/en/privacy.

2. Applicants for a Project or Event of Hertie AI

1. The purpose of the data processing is to carry out the application process and to select the participants for the respective project or event of Hertie AI. A change of these purposes is not planned.
2. The legal basis for data processing is the initiation of a contract for participation in the project or event in accordance with Article 6 (1) (b) GDPR. If you do not apply directly yourself, but are proposed, for example, the legal basis is our legitimate interest of Hertie AI in knowing the persons proposed for the project in question and their professional qualifications in accordance with Article 6 (1) (f) GDPR.
3. The personal data will be passed on internally to the employees responsible. In addition, some of the data will be passed on to a review board and project partners during the application process. In addition, we use service providers as processors within the framework of a data processing agreement in the selection processes, as for the provision, maintenance and servicing of IT systems.
4. The applicant data for the study programs, research and further education events will be deleted six months after the end of the application process. All contractual and booking relevant data will be stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract.
5. Without the data, participation in the application processes for projects and events of Hertie AI is not possible.

3. Applicants for an Employment with Hertie AI

1. The purpose of the processing is the selection of applicants for employment. A change of this purpose is not planned.
2. The legal basis is Section 26 German Federal Data Protection Act (BDSG) in conjunction with the initiation of the employment contract in accordance with Article 6 (1) (b) GDPR and Article 88 GDPR. We process voluntary information as part of your application on the basis of Section 26 (2) BDSG in conjunction with your consent in accordance with Article 6 (1) (a) GDPR and Article 88 GDPR.
3. Applicant data is forwarded internally to the relevant employees. In addition, we use service providers as processors within the framework of a data processing agreement, in particular for the provision, maintenance and care of IT systems.
4. Applicant data is deleted six months after the end of the specific application process. In the event of expressed interest in other positions too, the data will remain stored for up to 12 months after the last job offer or the last concrete expression of interest.
5. The provision of data is required for applicants. An application is not possible without providing data.

4. Newsletter Recipients

1. The purpose of the processing is to send our newsletter. A change of this purpose is not planned.
2. The legal basis for the processing of data for our newsletter is your consent in accordance with Article 6 (1) (a) GDPR. In the case of newsletter recipients who are under 16 years of age, consent is given by the holder of parental responsibility or the consent of the child is given with the authorization of the holder of parental responsibility in accordance with Article 8 (1) sentence 2 GDPR).
3. We use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems.
4. Data relating to newsletters will be deleted when you unsubscribe.
5. Personal data is required to receive newsletters. Without providing personal data, the newsletters cannot be sent.

5. Business Partners and their Employees

1. The purpose of the processing is the initiation and perfomance of contracts and communication with employees of business partners. A change of this purpose is not planned.
2. The legal basis for processing is the initiation and perfomance of the contract in accordance with Article 6 (1) (b) GDPR in the case of contracts with natural persons. In case of contracts with legal persons the legal basis ist our legitimate interest, namely communication with contractually relevant contact persons in accordance with Article 6 (1) (f) GDPR, and always statutory obligations, in particular tax and commercial law provisions in accordance with Article 6 (1) (c) GDPR.
3. The recipients of data may be banks for the processing of payments. Authorities and offices may be recipients within the scope of their duties, insofar as we are obliged or entitled to transfer data. We also use service providers as processors within the framework of a data processing agreement for the provision of services, in particular for the provision, maintenance and servicing of IT systems.
4. All contractual and booking relevant data will be stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract.
5. The provision of data is obligatory for business partners and employees of business partners based on statutory and contractual regulations. The business relationship cannot be established and carried out without providing data.

6. Interested Parties and Communication Partners

1. The purpose of the processing is the communication with interested parties and communication partners of Hertie AI. A change of this purpose is not planned.
2. The legal basis for the processing of interested parties and other communication partners is our legitimate interest, namely communication with interested parties and communication partners in accordance with Article 6 (1) (f) GDPR.
3. The inquiries will be passed on internally to the employees responsible. We also use service providers as processors within the framework of a data processing agreement for the provision of services, in particular for the provision, maintenance and servicing of IT systems.
4. Inquiries and communication will be deleted automatically after ten calendar years.
5. The provision of data is obligatory for interested parties and communication partners. Without the provision of data, communication is not possible.

7. Rights of Data Subjects and Further Information

1. We do not use any methods of automated individual decision-making.
2. You have the right to request information at any time about all your personal data which we are processing.
3. If your personal data is incorrect or incomplete, you have the right to have it rectified and completed.
4. You can request the erasure of your personal data at any time, as long as we are not bound by legal obligations that require or allow us to continue processing your data.
5. If the applicable legal requirements are met, you can request a restriction to the processing of your personal data.
6. You have the right to object to the processing, insofar as the data processing is based on profiling or direct marketing purposes.
7. If the processing is carried out on the basis of the balancing of interests, you may object to the processing by stating reasons arising from your particular situation.
8. If the data processing takes place on the basis of your consent or a contract, you have the right to a transfer of the data provided by you, insofar as the rights and freedoms of others are thereby not impaired.
9. If we process your data on the basis of a declaration of consent, you have the right to withdraw this consent at any time with future effect. The processing carried out prior to a revocation remains unaffected by the revocation.
10. Moreover, you have the right to file a complaint at any time with a data protection supervisory authority, if you believe that data processing has been carried out in violation of the applicable law.

8. Picture Credits

We would like to thank all companies, institutions and our partners for the contribution of material and pictures. Special thanks to Elia Schmid, who photographed all team members and gives us the right to use them. Visit his website here www.eliaschmid.com.