We, Brain Shuttle, S.L. (hereinafter “brainshuttle”, “responsible” or “we”) as partners of the VEThealth Project and administrators of the VEThealth Project webpage, are convinced that you should have control over your data and therefore take the protection of your personal data very seriously and strictly adhere to the data protection laws. Personal data is collected on this website only to the technically necessary extent. The following data protection declaration gives you an overview of how we guarantee this protection, what kind of data we collect for what purpose and what your rights in respect to your personal data are.
This data protection declaration comes into force on 25.05.2018.
Brain Shuttle, S.L.
Calle Navarra, No.15
Urb. Roque del Conde
Phone: +34 922 09 02 01
CIF: B76618 669
1. Basic Information on Data Processing and Legal Basis
1.2. For the terms used, such as “personal data” or their “processing”, we refer to the definitions in Art. 4 of the EU GDPR.
1.3. The personal data of users processed within the scope of the online offer includes usage data (browser type and version, operating system used, URL of the previously visited page, IP address of the accessing computer and time of the request) and information on content (e.g. entries in the application form).
1.4. The term “user” covers all categories of data subjects. These include our business partners, customers, interested parties and other visitors to our online offering. The terms used, such as “user”, are to be understood as gender-neutral.
1.5. We process personal user data only in compliance with the relevant data protection regulations. The user’s data will only be processed if there is legal permission, if data processing is required by law or if the user has given his or her consent. We process personal data on the basis of our legitimate interests (i.e. interest in analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 para. 1 letter f) of the EU GDPR, in particular for range measurement, creation of profiles for advertising and marketing purposes and collection of access data and use of third-party services).
1.6. We point out that the legal basis is based either on consents for the processing for the fulfilment of our services and the execution of contractual measures, for the processing for the fulfilment of our legal obligations or for the processing for the protection of our legitimate interests (Art. 6 para. 1 lit. a. and Art. 7 of the EU GDPR).
1.7. What sources and data do we use? We process personal data of customers, suppliers, interested parties, applicants and employees. We process this data in the context of business relationships, application procedures or employment relationships. We also use data from publicly accessible sources that may be processed. The legal basis is the fulfilment of (pre-) contractual obligations, legitimate interest, legal regulation or an available consent of the person concerned.
2. Security Measures
2.1. We take organizational, contractual and technical security measures in accordance with state of the art technology in order to ensure that the provisions of data protection laws are observed and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
2.2. The security measures include in particular the encrypted transmission of data between your browser and our server.
3. Passing on of Data to Third Parties and Third Party Providers
3.1. Data will only be passed on to third parties within the framework of legal requirements. We only pass on user data to third parties if this is necessary, e.g. on the basis of Art. 6 para. 1 lit. b) of the EU GDPR for contractual purposes or on the basis of legitimate interests pursuant to Art. 6 para. 1 lit. f. of the EU GDPR on the economic and effective operation of our business operations.
3.2. If we use subcontractors to provide our services, we will take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.
4. Online Application
If we receive applicant data proactively by post or e-mail, technical and organisational measures ensure that your personal data will be treated confidentially within the legal requirements. After completion of the application process, your data will be deleted unless you agree to its being stored for a longer period of time.
The person concerned can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common internet browsers. If the person concerned deactivates the setting of cookies in the Internet browser used, not all functions of our Internet site may be fully usable.
6. Third Party Services
6.1. Google Suite and Google Cloud
To realize our communication infrastructure, we use services from Google Inc. (“Google”), especially Google Suite (G-Suite), described at https://gsuite.google.com/
6.1. Google Suite and Google Cloud
To realize our communication infrastructure, we use services from Google Inc. (“Google”), especially Google Suite (G-Suite), described at gsuite.google.com, and Google Cloud, described at cloud.google.com. Due to the EU Data Protection Ordinance coming into force on 25 May 2018, Google introduced the G Suite and Cloud Identity version 2.0 of the addendum for data processing in October 2017. Google not only uses the EU-US Privacy Shield, an agreement between the US government and the EU on data protection, but also the standard contractual clauses to ensure that the requirements of the EU Data Protection Directive are met in terms of adequacy and security.
6.2. Google Analytics
6.2.2. Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and Internet use. Pseudonymous user profiles can be created from the processed data.
6.2.3. We use Google Analytics only with IP anonymization enabled. This means that the IP address of Google users within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area will be reduced. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
6.2.4. The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting the data generated by the cookie and relating to their use of the online offer and the processing of this data by Google by downloading and installing the browser plug-in available under this link.
6.2.5. Further information on data use by Google, setting and objection options is available on Google’s websites: Data use by Google when using our partners’ websites or apps, Data use for advertising purposes, Manage information that Google uses to show you advertising.
6.3. Google Maps
7. Social Media
brainshuttle offers the possibility to follow the social media offers of brainshuttle via so-called “Follow-Buttons”. Videos may also be provided by third parties. Below you will find explanations of the individual services.
Our online offer uses functions of the LinkedIn network. LinkedIn is an Internet-based social network that enables users to connect with existing business contacts and make new business contacts.
Every time a LinkedIn Plug-In component (LinkedIn Plug-In) is installed on our website, this component causes the browser used by the person concerned to download a corresponding representation of the LinkedIn component, if it is clicked consciously and proactively. Further information on the LinkedIn plug-ins. In the course of this technical procedure, LinkedIn is informed which specific subpage of our website is visited by the person concerned.
If the person concerned is simultaneously logged in to LinkedIn, every time the person concerned visits our website and for the entire duration of the respective stay on our website, LinkedIn recognizes which specific subpage of our website the person concerned visits. This information is collected by the LinkedIn component and assigned by LinkedIn to the respective LinkedIn account of the person concerned. If the person concerned clicks a LinkedIn button integrated on our website, LinkedIn assigns this information to the personal LinkedIn user account of the person concerned and stores this personal data.
LinkedIn receives information via the LinkedIn component that the person concerned has visited our website whenever the person concerned is logged in to LinkedIn at the same time as accessing our website; this happens regardless of whether the person concerned clicks on the LinkedIn component or not. If such a transmission of this information to LinkedIn is not desired by the person concerned, he can prevent the transmission by logging out of his LinkedIn account before calling up our website.
brainshuttle’s Internet pages and services use embedded videos from the YouTube platform. YouTube is an Internet video portal that allows video publishers to post video clips and other users to view, rate and comment on them free of charge. YouTube allows the publication of all kinds of videos, which is why complete films and TV programmes as well as music videos, trailers or videos made by users themselves can be called up via the Internet portal.
YouTube is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Each time one of the individual pages of this website is accessed, which is operated by the data controller and on which a YouTube component (YouTube video) has been integrated, the browser used by the person concerned is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. More information about YouTube. In the course of this technical procedure, YouTube and Google are informed which specific subpage of our website is visited by the person concerned.
If the person concerned is logged on to YouTube at the same time, YouTube recognizes which specific subpage of our website the person concerned visits by calling up a subpage that contains a YouTube video. This information is collected by YouTube and Google and assigned to the respective YouTube account of the person concerned.
YouTube and Google receive information through the YouTube component that the person concerned has visited our website whenever the person concerned is logged on to YouTube at the same time as accessing our website; this happens regardless of whether the person concerned clicks on a YouTube video or not. If such a transmission of this information to YouTube and Google is not desired by the person concerned, this can prevent the transmission by logging out of their YouTube account before calling up our website.
The data protection regulations provide information about the collection, processing and use of personal data by YouTube and Google.
8. Rights of Users
8.1. Right on Confirmation
Every data subject shall have the right granted by the European legislator of directives and regulations to require the controller to confirm whether personal data concerning him/her are being processed. If a data subject wishes to exercise this right of confirmation, he may contact an employee of the controller at any time.
8.2. Right on information
Any person concerned by the processing of personal data shall have the right granted by the European legislator of directives and regulations to obtain, at any time and free of charge, information from the controller concerning the personal data relating to him/her stored and a copy of that information. Furthermore, the European regulator has granted the data subject the following information:
• the processing purposes;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data have been or are still being disclosed, in particular recipients in third countries or international organisations;
• if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
• the existence of a right of rectification or deletion of personal data concerning him or of a restriction on processing by the controller or of a right of opposition to such processing;
• the existence of a right of appeal to a supervisory authority;
• if the personal data are not collected from the data subject: all available information on the origin of the data;
• the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) of the EU GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
Furthermore, the data subject has a right of access to information as to whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to obtain information on the appropriate guarantees in connection with the transfer.
If a data subject wishes to exercise this right of access, he may contact an employee of the controller at any time.
8.3. Right on Correction
Any person data subject to the processing of personal data shall have the right granted by the European legislator of directives and regulations to request the immediate correction of inaccurate personal data concerning him/her. Furthermore, taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
If a data subject wishes to exercise this right of rectification, he or she may contact an employee of the controller at any time.
8.4. Right on cancellation (right to be forgotten)
Any person concerned by the processing of personal data shall have the right granted by the European legislator of directives and regulations to require the data controller to request that the personal data concerning him/her be deleted immediately, provided that one of the following reasons applies and insofar as the processing is not necessary:
• The personal data have been collected or otherwise processed for such purposes for which they are no longer necessary.
• The data subject withdraws his/her consent on which the processing was based pursuant to Article 6(1)(a) of the EU GDPR or Article 9(2)(a) of the EU GDPR and there is no other legal basis for the processing.
• The data subject objects to processing under Article 21(1) of the EU GDPR and there are no overriding legitimate grounds for processing or the data subject objects to processing under Article 21(2) of the EU GDPR.
• The personal data have been processed unlawfully.
• The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
• The personal data was collected in relation to information society services offered in accordance with Art. 8 para. 1 of the EU GDPR.
If one of the above reasons applies and a data subject wishes to have personal data stored at brainshuttle deleted, he/she may contact an employee of the controller at any time. The brainshuttle employee will arrange for the request for deletion to be complied with without delay.
If the personal data have been made public by brainshuttle and our company is obliged to delete the personal data in accordance with Art. 17 para. 1 of the EU GDPR, brainshuttle will take appropriate measures, including technical measures, taking into account the available technology and implementation costs, to inform other data processors who process the published personal data, that the data subject has requested the deletion of all links to this personal data or of copies or replications of this personal data from these other data processors, insofar as processing is not necessary. The brainshuttle employee will take the necessary steps in individual cases.
8.6 Right on Data Transferability
Any data subject shall have the right granted by the European legislator to receive personal data relating to him/her provided by the data subject to a data controller in a structured, current and machine-readable format. It shall also have the right to transmit such data to another data controller without obstruction by the controller to whom the personal data have been made available, provided that the processing is based on the consent provided for in Article 6(1)(a) or Article 9(2)(a) of the EU GDPR or on a contract in accordance with Article 6(1)(b) of the EU GDPR and that the processing is carried out using automated procedures, unless the processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the data controller.
Furthermore, in exercising his right to data transferability pursuant to Article 20(1) of the EU GDPR, the data subject has the right to obtain that the personal data be transferred directly by a data controller to another data controller, provided this is technically feasible and provided that the rights and freedoms of other persons are not affected thereby.
The person concerned may contact an brainshuttle employee at any time to assert the right to data transferability.
8.7 Right on Objection
Any person concerned by the processing of personal data shall have the right granted by the European legislator for reasons arising from their particular situation to object at any time to the processing of personal data concerning them under Article 6(1)(e) or (f) of the EU GDPR. This also applies to profiling based on these provisions.
brainshuttle will no longer process personal data in the event of an objection, unless we can prove compelling grounds for processing that outweigh the interests, rights and freedoms of the data subject or the processing serves to assert, exercise or defend legal claims.
If brainshuttle processes personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for such advertising purposes. This also applies to profiling insofar as it is connected with such direct advertising. If the data subject objects to brainshuttle processing for direct marketing purposes, brainshuttle will no longer process the personal data for these purposes.
In addition, the data subject has the right to object to the processing of personal data concerning him/her for scientific or historical research purposes or for statistical purposes at the brainshuttle in accordance with Article 89(1) of the EU GDPR for reasons arising from his or her particular situation, unless such processing is necessary for the fulfilment of a task in the public interest.
To exercise the right of objection, the person concerned may contact anbrainshuttle employee or another employee directly. The data subject shall also be free to exercise his right of opposition in relation to the use of information society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.
8.8. Automated Decisions in Individual Cases Including Profiling
Any person data subject to the processing of personal data shall have the right granted by the European legislator of directives and regulations not to be subject to a decision based exclusively on automated processing, including profiling, which has legal effect against him or significantly affects him in a similar manner, provided that the decision is not (1) necessary for the conclusion or performance of a contract between the data subject and the data controller, or (2) is admissible under Union or Member State law to which the data controller is subject and that such law contains appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, or (3) with the express consent of the data subject.
Where the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the data controller or (2) is taken with the data subject’s express consent, the brainshuttle shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain the intervention of a data controller, to state his own position and to challenge the decision.
If the data subject wishes to assert rights relating to automated decisions, he or she may contact an employee of the controller at any time.
8.9. Right to Revoke Consent under Data Protection Law
Any person concerned by the processing of personal data has the right granted by the European legislator of directives and regulations to revoke consent to the processing of personal data at any time.
If the data subject wishes to exercise his/her right to withdraw his/her consent, he/she may contact an employee of the controller at any time.
9. Changes to the Data Protection Declaration
We reserve the right to change the data protection declaration in order to adapt it to changed legal situations or changes in the service and data processing. However, this only applies with regard to declarations on data processing. If user consents are required or components of the data protection declaration contain provisions of a contractual relationship with the users, the changes will only be made with the users’ consent.
Users are asked to inform themselves regularly about the contents of the data protection declaration.
The Management Board