Data Protection Information

Information on the processing of data according to Art 12 to 14 GDPR
 

Controller

The Controller responsible for the processing of the personal data according to Art 4 No 7 GDPR is the society.

Europäische Gesellschaft für Onkologische Bildgebung – European Society of Oncologic Imaging (ESOI)
ZVR 897953653
Am Gestade 1
1010 Vienna
AUSTRIA
Phone: +43 1 533 4064-924
Email: dataprotection@esoi-society.org 


Personal Data

ESOI processes the following categories of personal data

Purpose

ESOI processes personal data for the following purposes

Legal Basis

The legal basis for the data processing are:

ESOI primarily processes data on the basis of the legal relationship resulting from the membership with the society or for steps prior to the acceptance as member of the society upon request of the data subject in accordance with Art 6 No 1 lit b) GDPR. If and in as far as the disclosure and transfer of personal data to third parties is not based on the performance of contractual obligations or for steps prior to entering into a contract it is based on the data subject’s consent in accordance with Art 6 No 1 lit a) GDPR. The processing of personal data for the recruitment of society members as well as the advertising of society events and other services offered by the society to third parties not member of the society is based on the legitimate interest of the controller in accordance with Art 6 No 1 lit f) GDPR. The legitimate interest of the controller in these cases is the increase of the number of society members as well as the promotion of the purpose of the society by extending the circle of addressees for the services offered by the controller in pursuit of the society’s purpose. The notification of personal data of officers of the society to the relevant authorities governing associations is based on the legal obligations to be met by the society in accordance with Art 6 No 1 lit c) GDPR.

The processing of personal data of employees and of job applicants is based on the performance of contracts and steps taken prior to entering into a contract in accordance with Art 6 No 1 lit a) GDPR. The transfer of personal data of employees to the relevant authorities and social insurance institutions is based on legal obligations in accordance with Art 6 No 1 lit e) GDPR.

The processing of personal data of customers and contractors not being society members rendering services to or receiving services from the controller is based on the performance of contracts and steps taken prior to entering into a contract in accordance with Art 6 No 1 lit b) GDPR.
 

Categories of Recipients

ESOI only discloses personal data if such disclosure is based on legal obligations or if the disclosure is required for the performance of a contract or for steps to be taken prior to entering into a contract or if the data subject has given the consent or in the event that the disclosure is necessary for the purpose of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests of the data subject. The disclosure has to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are disclosed (“data minimisation”).

The data processed by the controller may be disclosed to the following categories of recipients:

Storage Period

ESOI shall not store personal data longer than required for the respective purpose of processing. ESOI shall store personal data for the duration of contractual relations, in particular for the time of membership with the society. Furthermore, personal data may or have to remain stored depending on the legal basis and the respective purpose. Reasons justifying a storage of personal data beyond the duration of a contractual relationship are storage obligations subject to tax law (generally seven years from the end of the year the data processing relates to) or the registration for the pursuit or defence of legal claims that may amount to up to 30 years in accordance with Austrian regulations on the statute of limitation. In the event the storage of personal data is based exclusively on the data subject’s consent, such consent can be withdrawn at any time. Unless there is no other legal basis for the storage, the deletion of the data may be requested. 
 

Sources of Personal Data

ESOI primarily processes data provided by the data subject upon entering into a legal relationship (membership with the society, participation in event, opening a user account for a data basis operated by ESOI, consumption of services offered by ESOI). Personal data, however, can also be disclosed to ESOI by third parties, for example upon making a recommendation as presenter, lecturer at society events or as author in publications of the society.

In addition, ESOI may process personal data from public sources such as the world wide web in general and publications or websites of the data subject or of universities, hospitals, research institutions, doctors’ platforms, or physicians’ portals.
 

Third Countries and International Organisations

ESOI does not transfer data to third countries.

Personal data may be transferred to international health organisations. For such transfer, the following shall apply:

Personal data shall only be transferred on the basis of a legal obligation or if the transfer is required for the performance of a contract or for steps taken prior to the performance of a contract or on the basis of the data subject’s consent or if the processing is necessary for the purpose of the legitimate interest pursued by the controller or by a third party except when such interests are overridden by the interest of the data subject.
 

Automated Decision-making

ESOI does not use personal data for automated decision-making.
 

Rights of the Data Subject

Every data subject is entitled to the rights to information, rectification, erasure, restriction of processing, portability and objection. In order to exercise these rights, data subjects should contact the controller. In the event the data subject is of the opinion that the processing of the data subject’s personal data infringes data protection law or the data subject’s right to privacy, the data subject may file a complaint with the relevant authority being the Data Protection Authority (Datenschutzbehörde) in Austria.

In the event a data subject has given their consent for the processing of their data for a specific purpose and such data were also processed subject to another legal basis, for example for the performance of a contract or for the pursuit or defence of legal claims, the data subject’s withdrawal of the consent to process such data has no relevance on the processing of such data subject to another legal basis.