Data Protection
Information on the processing of data according to Art 12 to 14 GDPR
Controller
The Controller responsible for the processing of the personal data according to Art 4 No 7 GDPR is the society.
European Society of Musculoskeletal Radiology (ESSR)
Am Gestade 1 | 1010 Vienna | Austria
Phone: +43 1 5334064-906
Email: dataprotection@essr.org
Personal Data
ESSR processes the following categories of personal data
of society members
- membership number
- full name
- organisation the member is active for
- form of address/sex
- date of birth
- addresses
- telephone and fax numbers
- email addresses
- profession
- type of membership (full member/corresponding member/honorary member, etc.)
- date of beginning and end of membership
- fees, areas
- awards and honours
- areas of interest and expertise notified by member
- activities within the society, in particular participation in events, membership in committees, working groups, diploma, publications for the society, lectures
- participation in conciliation proceedings
- details on consumption of services of the society
- details on initiation, content and execution of contracts
- payments or other services rendered by the society to the member
- content of correspondence
- bank account
of officers of the society
- full name
- form of address/sex
- date of birth
- addresses for services in the function of officer
- telephone and fax numbers
- email addresses
- photos
- personal ID copies
- office with the society
- beginning and end of office
- payment obligations of the officer to the society
- payments and other services of the society to the officer
- awards and honours
- content of correspondence
of third parties, consuming services of the society
- full name
- name of organisation the third party is active for
- form of address/sex
- date of birth (if required for identification)
- addresses
- telephone and fax numbers
- email addresses
- profession
- areas of interest and expertise provided by data subject
- participation in activities of the society
- consumption of services of the society
- details on initiation, content and execution of contracts
- content of correspondence
- bank accounts
of third parties providing services to the society
- full name
- organisation the third party is active for
- form of address/sex
- date of birth (as far as required for identification)
- addresses
- telephone and fax numbers
- email addresses
- VAT registration number
- social insurance number
- tax number
- profession or industrial sector (according to information of the data subject)
- areas of interest and expertise notified by data subject
- activities within the society
- details on services rendered for the society
- details on initiation, content and execution of contracts
- payments from the society to the third party
- content of correspondence
- bank account
of employees
the information is rendered separately within the employment relationship
Purpose
ESSR processes personal data for the following purposes
- membership administration
- membership register
- record of membership fees
- correspondence with members or sponsors of the society, in particular by automatically generated and stored text documents on society issues
- advertising, organisation and realization of and participation in analogue and digital web-based scientific events (congresses, symposia, seminars, lectures)
- advertising, organisation and realization of and participation in analogue and digital web-based training sessions
- advertising, organisation and operation of as well as access to scientific data bases
- advertising, creation, production and distribution of analogue and digital scientific publications including newsletters
- advertising, public offer, grant and administration of scholarships, grants, prices and awards
- processing and transfer of data within the business relationship with customers and contractors including, but not limited to automatically generated and stored text documents (e.g. correspondence) in these matters
- processing and transfer of data for calculation of salaries, wages and compensations and compliance with recording, information and notification
- obligations as far as these obligations are based on laws, trade agreements or labour contracts including, but not limited to automatically generated and stored text documents (e.g. correspondence) in these matters
- use and record of personal data of job applicants if such data were provided by the data subject or by recruitment consultants
Legal Basis
The legal basis for the data processing are:
ESSR primarily processes data on the basis of the legal relationship resulting from the membership with the society or for steps prior to the acceptance as member of the society upon request of the data subject in accordance with Art 6 No 1 lit b) GDPR. If and in as far as the disclosure and transfer of personal data to third parties is not based on the performance of contractual obligations or for steps prior to entering into a contract it is based on the data subject’s consent in accordance with Art 6 No 1 lit a) GDPR. The processing of personal data for the recruitment of society members as well as the advertising of society events and other services offered by the society to third parties not member of the society is based on the legitimate interest of the controller in accordance with Art 6 No 1 lit f) GDPR. The legitimate interest of the controller in these cases is the increase of the number of society members as well as the promotion of the purpose of the society by extending the circle of addressees for the services offered by the controller in pursuit of the society’s purpose. The notification of persona data of officers of the society to the relevant authorities governing associations is based on the legal obligations to be met by the society in accordance with Art 6 No 1 lit c) GDPR.
The processing of personal data of employees and of job applicants is based on the performance of contracts and steps taken prior to entering into a contract in accordance with Art 6 No 1 lit a) GDPR. The transfer of personal data of employees to the relevant authorities and social insurance institutions is based on legal obligations in accordance with Art 6 No 1 lit e) GDPR.
The processing of personal data of customers and contractors not being society members rendering services to or receiving services from the controller is based on the performance of contracts and steps taken prior to entering into a contract in accordance with Art 6 No 1 lit b) GDPR.
Categories of Recipients
ESSR only discloses personal data if such disclosure is based in legal obligations or if the disclosure is required for the performance of a contract or for steps to be taken prior to entering into a contract or if the data subject has given the consent or in the event that the disclosure is necessary for the purpose of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests of the data subject. The disclosure has to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are disclosed (“data minimisation”).
The data processed by the controller may be disclosed to the following categories of recipients:
- other members of the society
- officers of the society
- co-operation partners of ESSR, being legal persons whose purpose or scope of business are connected with the promotion of medical imaging
- European Society of Radiology (ESR)
- participants of society events
- supporters and sponsors of the association and society events
- exhibitors at society events
- contractors and customers of the society
- banks and insurance companies
- payment service and credit card providers
- Processors of the society, including
- travel agencies
- publishers
- office service providers
- event managers
- delivery services
- email service providers
- IT service providers
- translation agencies and interpreters
- marketing, advertising and public relations agencies
- tax consultants and auditors
- attorneys and notary publics
- courts, authorities, regional authorities, social insurance agencies and professional associations of physicians and other health care professionals
- universities
- hospital operators
Storage Period
ESSR shall not store personal data longer than required for respective purpose of processing. ESSR shall store personal data for the duration of contractual relations, in particular for the time of membership with the society. Furthermore, personal data may or have to remain stored depending on the legal basis and the respective purpose. Reasons justifying a storage of personal data beyond the duration of a contractual relationship are storage obligations subject to tax law (generally seven years from the end of the year the data processing relates to) or the registration for the pursuit or defence of legal claims that may amount to up to 30 years in accordance with Austrian regulations on the statute of limitation. In the event the storage of personal data is based exclusively on the data subject’s consent, such consent can be withdrawn at any time. Unless there is no other legal basis for the storage, the deletion of the data may be requested.
Sources of Personal Data
ESSR primarily processes data provided by the data subject upon entering into a legal relationship (membership with the society, participation in event, opening a user account for a data basis operated by ESSR, consumption of services offered by ESSR). Personal data, however, can also be disclosed to ESSR by third parties, for example upon making a recommendation as presenter, lecturer at society events or as author in publications of the society.
In addition, ESSR may process personal data from public sources such as the world wide web in general and publications or websites of the data subject or of universities, hospitals, research institutions, doctors’ platforms, or physicians’ portals.
Third Countries and International Organisations
ESSR does not transfer data to third countries.
Personal data may be transferred to international health organisations. For such transfer, the following shall apply:
Personal data shall only be transferred on the basis of a legal obligation or if the transfer is required for the performance of a contract or for steps taken prior to the performance of a contract or on the basis of the data subject’s consent or if the processing is necessary for the purpose of the legitimate interest pursued by the controller or by a third party except when such interests are overridden by the interest of the data subject.
Automated Decision-making
ESSR does not use personal data for automated decision-making
Rights of the Data Subject
Every data subject is entitled to the rights to information, rectification, erasure, restriction of processing, portability and objection. In order to exercise these rights, data subjects should contact the controller. In the event the data subject is of the opinion that the processing of the data subject’s personal data infringes data protection law or the data subject’s right to privacy, the data subject may complain with the relevant authority being the Data Protection Authority (Datenschutzbehörde) in Austria.
In the event a data subject has given the consent for the processing of his data for a specific purpose and such data were also processed subject to another legal basis, for example for the performance of a contract or for the pursuit or defence of legal claims, the data subject’s withdrawal of the consent to process such data has no relevance on the processing of such data subject to another legal basis.