Data Protection Policy

Update 04.06.2019

Our company places a high value on data protection and data security for Heidelberg University Hospital’s customers and partners as well as potential clients and users of our websites. Transparent processing and protection of your personal data are therefore especially important to us.

The present declaration will give you an overview of how your personal data is collected and processed when you visit our websites and how you can possibly contribute to better protection of your data.

Who is responsible for processing

Universitätsklinikum Heidelberg
Im Neuenheimer Feld 672
69120 Heidelberg

Public law institution („Anstalt öffentlichen Rechts“) represented by the Board of the University Hospital

Im Neuenheimer Feld 672
69120 Heidelberg

Phone: +49 (0) 6221 56-0
Fax: +49 (0) 6221 56-5999


Data protection officer 

Universitätsklinikum Heidelberg
Im Neuenheimer Feld 672
69120 Heidelberg
Phone: +49 (0) 6221 56-7036

What is personal data

Personal data is any information concerning natural persons that can be identified or are identifiable. Crucial is therefore whether the data collected relates to a person. This data includes information like your name, address, telephone number, and email. In­for­ma­tio­n that does not directly relate to your real identity, like fa­vou­rite web­si­tes or the number of a website’s visitors, is not personal data.

How we collect and process your personal data

When you visit our websites, our web ­ser­vers tem­po­rarily store the requesting computer’s data according to standard procedure for sys­tem­ security purposes, our web­si­tes that you visit, the date and duration of your visit, identification data of the brow­ser and operating system used as well as the website from which you visit our website. Other personal data like your name, address, telephone number or email are not collected, unless you provide this data of your own accord, e. g. for purposes of re­gis­tration, survey, raffle, contract implementation or inquiry.

How we use your personal data, how we transmit them

As long as it is possible to enter personal or corporate data on the website (emails, names, addresses), the act of providing this data on the user’s part is explicitly voluntary. Emails are transmitted via a contact form. If you send us a message of this kind, your personal data is only collected as long as it is needed for a reply. The email is transmitted without encryption.

The personal data you provide is used exclusively for the purposes of technical website administration and to fulfil your wishes and needs, which means it is used, as a rule, to implement the contract we concluded with you or to reply to your inquiry.

We use this data for product related surveys, marketing and statistics purposes only with your prior consent and unless you – as long as stipulated by law – filed an objection.

Your personal data is not transferred, sold or otherwise transmitted to third parties, unless necessary for the implementation of the contract or you gave your explicit consent.

Any consent can be revoked at any point taking effect in the future.

How long your data is stored

As a rule, we store all information you provided until the respective purpose is fulfilled, e. g. a contractual purpose. For instance, until execution for inquiries, until you unsubscribe – for newsletters. Should a longer period for data storage be needed according to law, it will be stored accordingly.

Should you no more wish us to use your data, we shall promptly fulfil your request (please contact us via the address provided under „Contact“).

When is your data deleted?

The personal data is deleted if you revoke your consent for data storage, if the data is no more needed for the purpose for which the data was stored or if data storage is impermissible for other lawful reasons. Deletion request does not concern data for settlement and accounting purposes.


When you visit our websites we use so-called cookies. These are small text files that are stored on your computer. Coo­kies help us determine the number of visitors and users of our websites as well as make our offers for you as convenient and efficient as possible.

On the one hand we use the so-called “ses­si­on coo­kies” that are stored only for duration of your use of our websites. On the other hand, we use "per­ma­nen­t coo­kies" in order to get in­for­ma­tio­n about visitors who regularly visit one of our websites. The purpose of these coo­kies is to offer you the best possible user experience as well as "to recognize" you and offer you diverse information and new content. The content of the per­ma­nen­t coo­kies is limited to the identification number. Name, IP-addres­s etc. are not stored. No profile is created about your user behavior.

You can also visit our websites without coo­kies. You can deactivate storage of cookies in your browser, limit it to certain websites or change your brow­ser’s settings so that it informs you as soon as coo­kies are sent. However, bear in mind that deactivation will lead to a limited display of the website and limited usability.

Cookies that are necessary for electronic communication or for certain functions you want to use (e. g. Shopping-Basket) are stored according to art. 6 (1)f GDPR. The website operator has a legitimate interest to store cookies in order to provide technically accurate and optimized services. If other cookies are stored (e. g. cookies to analyse your internet search behavior), they will be addressed separately in the present data protection declaration.

What we do to ensure secure processing

Our company takes all necessary technical and organisational security measures to protect your personal data from loss and misuse. So your data is stored in a secure environment with no access for the public. In some cases your personal data is transmitted with encryption by the so-called Se­cu­re So­cket Lay­er tech­no­lo­gy (SSL). This means that com­mu­ni­ca­ti­on between your com­pu­ter and our company’s ser­vers is done with a recognized encryption technology if your brow­ser supports SSL.

This is the legislative basis

When we request consent of respective individuals for processing of their personal data, we act on the basis of art. 6 1a of the EU General Data Protection Regulation (GDPR).

During processing of the personal data necessary for implementation of a contract whose party the person in question is, we act on the basis of art. 6 1b of the GDPR. This also concerns the processing necessary for the implementation of pre-contractual measures.

If processing of personal data is necessary for fulfilment of a legal obligation of our company, we act according to art. 6 1c of GDPR.

If processing of personal data is in vital interests of the person in question or any other natural person, we act according to art. 6 1d of GDPR.

If processing is necessary to protect our company’s or a third party’s legitimate interests and unless the interests, basis rights and freedoms of the person in question prevail, we act according to art. 6 1f of GDPR. Legitimate interests are in particular ensuring operations and website security, analysing the way visitors use the website and making the website use easier.

These are your data protection rights

According to the applicable legislation, you have at any time the right to obtain free information about your personal data stored, its origin and possible recipients as well as the purpose of processing (art. 15 GDPR) and if the case may be the right to correct incorrect data (art. 16 GDPR), delete the data (art. 17 GDPR), limit the processing according to art. 18 GDPR, object (art. 21 GDPR) and the right to portability of your data (according to art. 20 GDPR). For information and deletion rights there are certain restriictions according to §§ 34 and 35 of the German federal data protection act (BDSG).

You also have the right to lodge a complaint with a supervisory authority in case of data protection law violation (art. 77 GDPR and §19 BDSG). The supervisory authority for data protection issues is the data protection officer in the federal state (Bundesland), where our company is resident. You can find the list of data protection officers and their contact data here:

How YOU CAN revoke consents given for data processing

Processing is often only possible with your explicit consent. You can revoke such consent at any time. To do this, an informal email will be enough. The data processing that took place before this cancellation will remain unaffected.

Changes to data protection declaration

Possible changes to the present data protection declaration will be timely made public on this website.

Web Analytics and Advertisement

Matomo und Google Analytics

Our website uses Matomo (Piwik) and Google Analytics, known as web analytics services. These services use "cookies," which are data files stored on your computer that enable us to analyze use of the website. For this purpose, the usage information generated by the cookie (including your truncated IP address) is transmitted to our server and saved for usage analysis, which enables us to optimize the website. At the start of this process, your IP address is made anonymous so that you, the user, remain anonymous to us.  

With Matomo (Piwik), the information generated by the cookie regarding your use of this website is not passed on to third parties. With Google Analytics, the information generated by the cookie is generally transferred to a Google server in the USA and stored there. However, if IP anonymization is enabled on this website, your IP address within the member states of the European Union or other contracting states of the European Economic Area will be truncated by Google prior to transfer. Only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there. On behalf of this website operator, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services regarding website activity and Internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google. (Source:

You can refuse the use of cookies by selecting the appropriate settings on your browser; however, if you do so, you may not be able to utilize the full functionality of this website.

If you do not agree to the storage and analysis of data from your visit, you can block this (including your IP address) with a mouseclick at any time. In this case, an "opt-out cookie" is stored on your browser, with the result that no session data is collected.

Caution: If you delete your cookies, the opt-out cookie will also be deleted, and you may need to reactivate it.

Yandex Metrica

We use Yandex Metrica, a web analysis and click tracking service by Yandex, with business address in 119021 Moscow, L. Tolstoj Street 16. The information about how you use our website produced through this service (including your IP-address) is transmitted to Yandex’s server in the Russian Federation and stored there. For this purpose cookies are used on your end device. Cookies are text documents that are saved on your computer and allow analysis of how you use the website. Yandex will use this information to evaluate the way you use the website in order to prepare reports about website activities for the website operator and provide other services in connection with the use of website and Internet. Yandex will also transfer this information to third parties if required by law or if this data is processed by third parties as commissioned by Yandex. You can at any time object to this form of collection and storage of data with effect in the future. You can do this by changing your browser’s settings and so prevent storage of cookies by the website

Google AdWords und YandexDirect

Moreover, we use the online advertising programs called “Google AdWords” and “YandexDirect” and in this connection, we track the respective conversions as well.  If you click on an ad by Google/Yandex, a cookie will be stored on your computer to track conversions. These cookies lose their validity after 90 days, do not contain any personal data, and therefore cannot be used to personally identify users.

If you visit certain Internet pages of our website, and the cookie has not expired yet, Google and we can discern that you have clicked on the ad and were forwarded to this page. Every Google Adwords customer receives a different cookie. In this way, there is no possibility for cookies to be traced across the websites of AdWords customers.

The information obtained with the aid of the conversion cookie shows us the total number of users who have clicked on their ad and have been forwarded to a page provided with a conversion-tracking tag. However, we do not receive any information with which users can be personally identified.

If you do not wish to participate in the tracking, you may opt out of this use, by preventing the installation of the cookies through the corresponding setting of your browser software (deactivation possibility). In this case, you will not be incorporated into the conversion-tracking statistics. You will find more information and the Google data protection statement under:


This site uses so-called web fonts provided by Google for the uniform representation of fonts. When you open a page, your browser loads the required web fonts into your browser cache to correctly display texts and fonts.

To do this, the browser you use must connect to Google's servers. As a result, Google learns that our website has been accessed via your IP address. The use of Google Web Fonts is in the interest of a consistent and attractive presentation of our websites. This constitutes a legitimate interest within the meaning of art. 6 1f of GDPR

If your browser does not support Web Fonts your computer uses standard fonts.

You can find more information about Google Web Fonts at and in the privacy policy declaration of Google:


This website uses the web mapping service Google Maps via an API. It is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Use of Google Maps’ functions requires saving your IP address. This data is normally transmitted to a Google server in the USA and saved there. The present website’s provider has no influence on this data transmission.

The use of Google Maps provides for an appealing representation of our online offers and easier findability of the places indicated on our website. This is considered a legitimate interest according to Art. 6, 1(f) of the GDPR.

You can find more information on use of users’ data in Google’s privacy policy:


The present website has integrated YouTube components. YouTube is a video-sharing website that allows video publishers to publish video clips and other users to watch, rate and comment on these free of charge. YouTube allows publication of all kinds of videos, therefore full film videos and TV-programs as well as music videos, trailers or users’ own videos are available on the website.

YouTube’s operating company is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Every time you view one of our webpages where there is an integrated YouTube component (YouTube video) the respective YouTube component will automatically prompt your internet browser to download display of the respective YouTube component from YouTube. You can find further information on YouTube under This technical process allows YouTube and Google to understand, which subpage of our website you view.

As long as you are logged-in on YouTube at the same time, the visit of a subpage with a YouTube video will help YouTube detect which subpage of our website is viewed by the respective person. This information is collected by YouTube and Google and assigned to the respective YouTube account of the respective person.

YouTube and Google receive information via a YouTube component that the respective person has visited our website every time you are logged in on YouTube at the moment you visit our website. This happens whether you click on a YouTube video or not. If you do not wish this data to be transmitted to YouTube and Google, you can prevent this by logging out of your YouTube account before visiting our website.

YouTube’s privacy policy available under provides more information on collection, processing and use of personal data by YouTube and Google.


You have the opportunity to register on our website by providing personal information. Which personal data is to be sent to the controller is derived from the respective data entry mask used for the registration. The personal data you enter will be collected and stored solely for internal processing by the controllers and for own purposes. The controller may arrange for the transmission to one or more processors, such as a parcel service, who also uses the personal data only for internal use attributable to the controller.

By registering on the website of the controller the data, the IP address assigned by your Internet service provider (ISP), the date and time of registration are also stored. This data is stored because this is the only way to prevent the misuse of our services and, if necessary, to use this data to investigate past crimes and copyright infringements. Thus, the storage of this data is required to protect the controller. The data will not be transmitted to third parties as a rule, unless there is a legal obligation to pass on the data or unless the disclosure serves the criminal or legal prosecution.

Your registration and the voluntary provision of personal data serves the controller to provide you with content or services that, due to the nature of the case, can only be offered to registered users. Furthermore, your registration serves the monitoring of the use of the copyrighted texts issued by us, as well as the verification of link setting and copyright naming, as well as our own documentation purposes. In addition, we use the data collected for customer acquisition, in particular for telephone contact and the sending of advertisement by conventional mail and e-mail. Registered persons are free to delete the personal data given at the time of registration completely from the database of the controller.

The controller will inform you at any time on request about which of your personal data is stored. Furthermore, the controller corrects or deletes your personal data at the request or notice of the person in question, insofar as this does not conflict with legal data retention requirements. The data protection officer named in this data protection statement and all coworkers of the controller are available to assist you in this regard.

Special notes for the subscribers of the international newsletter

The data you enter is saved and processed, as commissioned by us, by CleverReach® for the purpose of sending our newsletter to the email address you entered into the form. According to the agreement about the commissioned data processing between the Heidelberg University Hospital and CleverReach®, your data can be solely used for this purpose. You can unsubscribe from our newsletters at any time. In this case your saved data will be deleted after 1 month. Your saved data is stored on the CleverReach ® servers in Germany and Ireland. At any time you can request information about all data saved.

We use Google service reCaptcha to see if it is a person or a computer that enters a particular piece of information in our contact or newsletter form. On the basis of the following data Google determines if you are a person or a computer: IP address of the end device used, the web page that you visit on our website and where the Captcha is integrated, the date and duration of the visit, the identification data of the browser and operating system types used, Google account, if you are logged to Google, cursor movements on the reCaptcha surfaces as well as the tasks where you need to identify pictures. The legal basis for the data processing described is art. 6 1 (f) of the GDPR. This data processing takes place for the purposes of our legitimate interest to provide our website’s security and protect us from automatic input (attacks).