The Controller takes the protection of your personal data seriously and complies with the applicable data protection laws. With this Privacy Policy, the Controller is fulfilling the obligations to provide information as required by Art. 12 et. seq. of the General Data Protection Regulation (hereinafter referred to as the “GDPR”) and is informing you of the details of how your personal data will be processed and of your rights in this regard.
Please note that this Privacy Policy applies only to the processing of your personal data by Trials24 GmbH, Denninger Str. 30, 81679 Munich. This means that this Privacy Policy expressly does not relate to participation in a study.
Please read this Privacy Policy in connection with the General Terms of Use for use of the study platform.
As operator of the study platform and database, Trials24 GmbH, Denninger Str. 30, 81679 Munich, Germany, represented by the management (hereinafter “Controller” or “Trials24”), is responsible for the data processing in the context of the study platform and for any further storage of your personal data in the context of a database as Controller pursuant to Art. 4 (7) GDPR.
If you have any questions regarding the processing of your personal data by the Controller or about exercising your data subject rights, you can contact the Controller at any time via the following contact details:
Email: info@trials24.com
Telephone: +49(0) 89 21537 4990
Please note that, in the event that data subject rights (e.g., requests for information or data erasure) are asserted, the Controller must first ascertain your identity by means of a suitable procedure.
Trials24 GmbH is no longer responsible for the processing of your personal data as part of the study. The data protection information you will receive before participating in the study will name the new controller under data protection law. In this respect, Trials24 will also not act as a processor on behalf of the study’s sponsor.
Alternatively, you can also contact the Controller’s data protection officer with questions about the processing of your personal data. You can reach the data protection officer via the following contact details:
Email: datenschutz@trials24.com
To ensure the best possible protection of your data, the study platform uses secure sockets layer encryption (SSL encryption) in conjunction with transport layer security encryption (TLS encryption). This encryption ensures that data you transmit to the Controller in the context of the platform (e.g., by completing study-related questionnaires) cannot be read, redirected, or altered by unauthorised third parties during transmission.
Insofar as your data are stored by the Controller, this storage will only take place in appropriately security-certified data centres within the European Union (EU) or within the scope of the GDPR. The Controller expressly reserves the right to involve external service providers for the storage and processing of your data, but they will only act as processors on behalf of the Controller and in accordance with the Controller’s instructions. Processors will be contractually obligated by the Controller to take such technical and organisational measures (TOMs) as are appropriate, according to the current state of the art, for ensuring that your data are continuously processed in compliance with data protection requirements.
In no event will your data be shared with or disclosed to third parties by the Controller or a processor without an appropriate legal basis.
As a “data subject” within the meaning of Art. 4 (1) GDPR, you have certain inalienable rights (data subject rights). The Controller is obligated to guarantee these data subject rights and must contractually obligate employed processors to assist the Controller as best they can in enforcing these data subject rights. In this respect, you are entitled to the following data subject rights:
You can assert your data subject rights at any time. To do so, you can send a written or electronic message to the Controller (see section titled “Controller”) via the contact details provided. Alternatively, you can also contact the Controller’s data protection officer (see section titled “Data Protection Officer”). In this context, both the Controller and the data protection officer reserve the right to verify your identity by means of a suitable procedure.
As soon as you access the web-based study platform, the browser you are using will automatically transmit access information (known as log files) to the platform’s hosting provider. These log files contain personal and other data.
Processed data:
Purposes of the processing:
The log files are essential for ensuring the technical functionality of the study platform. In particular, the transmission of the IP address is necessary to display the platform on the end device you are using. The Controller will neither combine the data stored as part of the log files with other data sources nor use such data to identify individual users of the platform. In particular, the transmitted data will also not be evaluated for marketing purposes.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (f) GDPR. The “legitimate interest” required for this is based on the Controller’s desire to provide a secure and smooth user experience of the study platform. Use of the platform would not be possible otherwise.
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the study platform’s hosting provider on whose servers the platform is being run. The Controller has commissioned Raidboxes GmbH (Hafenstrasse 32, 48153 Münster, Germany, www.raidboxes.io) with organising the hosting of the study platform. The services of Cloudflare Germany GmbH (Rosental 7, c/o Mindspace, 80331 Munich, Germany, www.cloudflare.com) are also used. In this context, both service providers are acting on behalf of the Controller as processors within the meaning of Art. 4 (8) GDPR and have accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
Duration of storage:
After no more than 14 days, the log files will be automatically erased or modified in such a way that they can no longer be attributed to you.
In addition to the aforementioned access data (log files), cookies are also used in the context of the study platform. These are small text files that the browser you are using automatically saves and files/stores on the end device you are using. Cookies do not contain viruses, Trojan horses, or other malicious software that would be capable of causing damage to the end device you are using. In this context, please note that the use of certain cookies may be necessary for technical reasons (e.g., to display the study platform on your end device). These “technically essential cookies” are to be differentiated from cookies that are used for other purposes (e.g., analysing user behaviour in the context of the study platform). These are “technically non-essential cookies”.
To begin with, the following text only discusses processing as it relates to the use of technically essential cookies. To the extent that the Controller uses technically non-essential cookies for the purposes of analysing user behaviour in the context of the study platform, you will be informed of this in separate sections of this Privacy Policy.
Processed data:
Purposes of the processing:
The cookies used by the Controller allow the Controller to see that you have already visited individual areas or pages of the study platform and ensure that you do not need to re-enter certain information and settings you have already entered in the context of the study platform. If you have a user account on the study platform, the deployed cookies will also be used, among other things, to recognise you when you visit the study platform again.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is provided in the context of a cookie banner that is displayed when you first access the study platform.
Duration of storage:
The deployed cookies will be automatically erased either immediately after you terminate your access to the study platform or after a fixed period of time not to be determined by the Controller.
You can also prevent the use of cookies by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
Cookie overview, viewing and adjusting consent to cookies and data protection consent:
An overview of all cookies can be found here:
You can view and adjust your consent to cookies and data protection consent here:
This is your personal User ID:
Here is your personal consent history:
In principle, the Controller will only disclose your data to third parties within the meaning of Art. 4 (10) GDPR if
The Controller may employ as processors service providers whose place of business is in a third country or who are part of an international organisation with its place of business in a third country. In the context of the GDPR, a third country means a country that is not a member of the European Union (EU) or the European Economic Area (EEA) and therefore does not fall within the scope of the GDPR. A commonality shared by these third countries is that they may have their own data protection legislation, but this legislation may provide a lower level of protection than the GDPR. Considering this, Art. 44 GDPR stipulates that the transfer of data to third countries is only permitted when certain legal conditions are fulfilled.
As a rule, the permissibility of a transfer of data to third countries is based on an adequacy decision between the European Commission and the relevant third country, in accordance with Art. 45 GDPR. The existence of an adequacy decision indicates that the data protection legislation applicable in the relevant third country provides a level of protection for your personal data comparable to that of the GDPR. In accordance with Art. 46 (2) (c) GDPR, when no such adequacy decision exists, data transfers are alternatively based on the conclusion of a contract between the Controller and the corresponding service provider based on the standard contractual clauses issued by the European Commission. These contractual clauses provide a sufficient guarantee on the part of the respective service provider, including with regard to the enforceability of the data subject rights stipulated by the GDPR.
This Privacy Policy will expressly inform you when a service provider has such a connection to a third country. In this case, by providing your consent, you agree to the transfer of your personal data to such a company.
You can contact the Controller and make enquiries via email at any time, including in the context of the study platform. To handle your request(s), the Controller will need to take note of the personal data you submit to the Controller in the context of your request. The following explanations are also applicable in the event that the Controller provides a contact form in the context of the study platform or elsewhere.
Processed data:
Purposes of the processing:
The data transmitted by you in the context of contacting the Controller will be processed by the Controller solely for the purpose of handling and responding to your request. Please note that the Controller may use complaints in anonymised form as part of quality assurance to assess the quality and security of service.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (f) GDPR (“legitimate interest”) or on Art. 6 (1) (b) GDPR if you contact the Controller in the context of entering into or implementing a contract. The “legitimate interest” is based on the Controller’s desire to respond to your request in a comprehensive and targeted manner and to resolve any problems with the offered services as quickly as possible. When you submit your request via a contact form, the Controller bases the lawfulness of the data processing on Art. 6 (1) (a) GDPR. Your consent is given by ticking the box provided for this purpose and thereby agreeing to the processing of your personal data in accordance with this section before submitting the request via the contact form.
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the provider of the email software used by the Controller for receiving and handling emails. For receiving, handling, and sending emails, the Controller uses the service Google Mail as part of Google Workspace (Google Ireland Ltd., Google Building Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland) and the service Outlook as part of Microsoft365 (Microsoft Ireland Operations Ltd., South County Business Park, One Microsoft Place, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland). In this context, Google and Microsoft are acting on behalf of the Controller as processors within the meaning of Art. 4 (8) GDPR and have accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
In this respect, please note that Google Ireland Ltd. is a subsidiary of Google LLC and Microsoft Ireland Operations Ltd. is a subsidiary of Microsoft Corporation and that these parent companies have their places of business in the United States. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
If you submit your request to the Controller via a contact form in the context of the study platform, the study platform’s hosting provider is also a recipient of your personal data within the meaning of Art. 4 (9) GDPR. The Controller has commissioned Raidboxes GmbH (Hafenstrasse 32, 48153 Münster, Germany, www.raidboxes.io) with organising the hosting of the study platform. The services of Cloudflare Germany GmbH (Rosental 7, c/o Mindspace, 80331 Munich, Germany, www.cloudflare.com) are also used. In this context, both service providers are acting on behalf of the Controller as processors within the meaning of Art. 4 (8) GDPR and have accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
Duration of storage:
The processed data will only be stored by the Controller for as long as this is necessary to handle and respond to your request. The Controller will then erase the data, provided that their erasure is not opposed by legal retention obligations.
In the context of the study platform, you will be given the opportunity to participate in an online survey about potential study participation. As part of the survey, you will be asked to answer a series of questions related to the potential study participation. Your answers will be used to determine if you are interested in study participation and are generally eligible to participate in the study.
Processed data:
The questionnaire is integrated into the study platform by means of an independent element (iFrame). The online questionnaire itself is completed anonymously to begin with. In this respect, your IP address will not be processed either. The questionnaire service provider will not store your IP address. At the end of the questionnaire, however, you will be given the opportunity to enter your contact information if you would like to participate in the study and/or wish to be informed about other studies in the future. The questionnaire will not be identified with you personally unless you enter your contact details.
Purposes of the processing:
The information you provide in the context of the survey (answers to the questions asked and data concerning health) must be processed so that the Controller can assess your eligibility for participation in the study. Your contact details will be used to send you information about the study and to verify whether a study site for that study is located in your area. Additional questions may need to be clarified by email or telephone to further verify your eligibility for study participation. In this regard, please note the “Telephone Interviews” section of this Privacy Policy. Notes will be taken during the conversation, and documents such as images or diagnostic reports may be requested. If you are interested in participating in the study, the Controller will share your contact details, conversation notes, and submitted documents with the study site in your area. Your data will only be shared for the purpose of clarifying your possible participation in the study.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 9 (2) (a) GDPR. In the context of the online survey, your express consent is given by actively ticking each of the boxes provided for this purpose. Your consent to receiving information about study participation and your consent to receiving information about future studies are obtained separately. Please note that the data you provide in the context of the online survey and further verification for study participation can only be shared with the study site if you consent to receiving information about study participation. Your consent to receiving information about future studies is entirely optional.
Overview of consent texts:
The wording of this consent is as follows, depending on whether you only want to receive information about the study in question or about future studies as well:
I agree to the processing of my data in accordance with the Privacy Policy and confirm that I have read and accept this Privacy Policy.
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the service provider that provides the online questionnaire and stores the data related to the online questionnaire. The Controller employs LamaPoll (Lamano GmbH & Co. KG, Frankfurter Allee 69, 10247 Berlin, Germany) for the purpose of integrating the online questionnaire in the study platform and for storing the data related to the online questionnaire. In this context, the service provider is acting on behalf of the Controller as a processor within the meaning of Art. 4 (8) GDPR and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
Another recipient of your personal data within the meaning of Art. 4 (9) GDPR is the study site with which Trials24 will share your data, provided you have consented to receiving information about study participation and have left your contact details.
Duration of storage:
If you have consented to the processing of your personal data to receive information about study participation, your data will only be stored until the purpose for which your data was collected ceases to apply and, at most, for 90 days after the study has ended. This duration of storage is a legal requirement because competent authorities may consider the recruitment of study participants as part of the study and we need the data as part of the documentation for the study. If you have also consented to the processing of your personal data to receive information about future studies, your data will be stored, at most, until you withdraw your previously granted consent.
Following the online surveys about health topics and potential study participation, it may be necessary and/or helpful for the Controller to conduct a brief telephone interview with you to obtain further information that can generally help in gaining insights or can qualify your profile as a potential study participant. Considering this, the Controller is expressly informing you of the possibility of a telephone interview during which personal data will also be collected and may then be shared with study sites, for example, as part of your profile.
Processed data:
Purposes of the processing:
The information you provide in the context of the interview, including your answers to questions asked and data concerning health, will be processed for the purpose of evaluating your eligibility for potential participation in a study or analysing various health topics to obtain findings and develop appropriate measures.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 9 (2) (a) GDPR. In the context of the online surveys conducted, your express consent is given by actively ticking each of the boxes provided for this purpose. By providing your contact information and consenting to the processing of your personal data in accordance with this Privacy Policy, you also agree to be contacted by telephone for the above-mentioned purposes.
Recipient of the data:
The recipient of your personal data is the Controller himself to begin with. The Controller will decide whether the data collected during the telephone interview will be shared with the respective study site in the form of interview records for the purpose of potential study participation, for example. In this regard, please note the “Online Surveys About Potential Study Participation” section of this Privacy Policy.
Duration of storage:
If you have consented to the processing of your personal data to receive information about survey results or information about study participation, your data will only be stored until the purpose for which your data was collected ceases to apply and, at most, for 90 days after the survey results have been sent or after the study has ended. In the context of a study, this storage period is a legal requirement because competent authorities may consider the recruitment of study participants as part of the study and we need the data as part of the documentation for the study. If you have also consented to the processing of your personal data to receive information about future studies, your data will be stored, at most, until you withdraw your previously granted consent.
In the course of participating in an online survey on the study platform, you will be given the opportunity to consent to the storage of your personal data to receive information about future Trials24 studies. This will require your personal data to be stored in the context of a database so that you can be contacted as soon as a new study is announced.
Processed data:
Purposes of the processing:
The information you provide in the context of the survey must be processed so that the Controller can assess your eligibility for participation in future studies. Your contact details will be used to inform you of future studies in which you are generally eligible to participate. You will then be given the opportunity to participate in the online survey for the respective new study.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 9 (2) (a) GDPR. In the context of the online survey, your express consent is given by actively ticking each of the boxes provided for this purpose. In this case, you must expressly consent to receiving information about future studies.
Overview of the consent text:
The wording of this consent is as follows:
I agree to the processing of my data in accordance with the Privacy Policy and confirm that I have read and accept this Privacy Policy.
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the service provider that provides the online questionnaire and stores the data related to the online questionnaire. The Controller employs LamaPoll (Lamano GmbH & Co. KG, Frankfurter Allee 69, 10247 Berlin, Germany) for the purpose of integrating the online questionnaire in the study platform and for storing the data related to the online questionnaire. In this context, the service provider is acting on behalf of the Controller as a processor within the meaning of Art. 4 (8) GDPR and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
Another recipient of your personal data within the meaning of Art. 4 (9) GDPR is the survey’s cooperating partner with which Trials24 will share your data, provided you have consented to receiving information about new surveys and clinical studies and have left your contact details. In relation to Trials24, the respective cooperating partner is a separate controller with regard to the processing of your personal data. Neither a data processing agreement nor joint controllership exists in this respect. You will be specifically referred to the respective cooperating partner’s privacy policy, which will apply accordingly.
Duration of storage:
If you have consented to the processing of your personal data to receive information about future studies, your data will be stored, at most, until you withdraw your previously granted consent.
As part of the Controller’s services, you have the option of registering to receive the newsletter. We must process your personal data to create, send, and evaluate our newsletters.
Processed data:
Purposes of the processing:
The aforementioned data must be processed so that the Controller can send you personalised newsletters and information and perform an anonymised evaluation of the newsletters’ success with regard to the click and open rates.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent to receiving our newsletters and information can be provided in the context of the study platform. To register to receive the Controller’s newsletter, you must consent to the processing of your personal data by ticking a box provided for this purpose.
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the service Mailchimp (The Rocket Science Group LLC., 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA, https://mailchimp.com/). In this context, the provider Mailchimp is acting as a processor on behalf of the Controller and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
In this regard, please note that The Rocket Science Group LLC maintains its place of business in the United States. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
Duration of storage:
The data processed in this context by the Controller will be stored, at most, until you withdraw your previously granted consent to receiving the Controller’s newsletter. You can withdraw your previously granted consent at any time in the footer of the newsletter or by sending an email to the contact details listed in the “Controller” or “Data Protection Officer” section.
To analyse user behaviour in the context of the study platform, the Controller uses the service Google Analytics (Google Ireland Ltd., Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland). The usage analysis involves the collection, storage, and evaluation of anonymised usage data that are collected via one or more technically non-essential cookies.
Processed data:
By truncating your IP address, Google Analytics anonymises your data before they are evaluated, which means they can no longer be attributed to you after they are collected.
Purposes of the processing:
Processing the aforementioned data allows the Controller to evaluate the use of the study platform and thus to determine which areas of the study platform are still in need of improvement. The Controller does so not least out of the desire to adapt the study platform as much as possible to users’ needs.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to Google Analytics in the context of the cookie banner when you first access the study platform (or at a later date).
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the service Google Analytics (Google Ireland Ltd., Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland). In this context, the provider Google Analytics is acting as a processor on behalf of the Controller and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
In this regard, please note that Google Ireland Ltd. is a subsidiary of Google LLC, which has its place of business in the USA. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
Duration of storage:
Although your personal data will only be processed in anonymised form after they are collected and can therefore no longer be attributed to you personally, the Controller has nonetheless decided to limit the duration of storage for these data to 14 months. After the 14 months have elapsed, the usage data stored as part of Google Analytics will be automatically erased. You can make later adjustments to your chosen settings regarding the use of technically non-essential cookies related to Google Analytics at any time in the context of the cookie banner on the study platform.
You can also prevent the use of the technically non-essential cookies by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
In order integrate Google’s tracking and analytics tools in the context of the study platform, the Controller uses Google Tag Manager (Google Ireland Ltd., Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland).
Processed data:
Purposes of the processing:
The aforementioned data must be processed so that the Controller can use Google Tag Manager to integrate Google’s tracking and analytics tools.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to Google Tag Manager in the context of the cookie banner when you first access the study platform (or at a later date).
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the service Google Analytics (Google Ireland Ltd., Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland). In this context, the provider Google Analytics is acting as a processor on behalf of the Controller and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
In this regard, please note that Google Ireland Ltd. is a subsidiary of Google LLC, which has its place of business in the USA. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
Duration of storage:
The data processed in the context of this processing activity will be stored by the Controller, at most, until you withdraw your consent to the use of technically non-essential cookies related to Google Tag Manager. You can make later adjustments to your chosen settings regarding the use of technically non-essential cookies related to Google Tag Manager at any time in the context of the cookie banner on the study platform.
You can also prevent the use of the technically non-essential cookies by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
The Controller uses the service Hotjar in the context of the study platform. This is an analytics service provided by Hotjar Ltd. (Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta). Hotjar allows the Controller to record movements in the form of what are known as heatmaps in the context of the study platform.
Processed data:
The aforementioned data will be collected in anonymised form and cannot be attributed to any specific person. Should personal data be visible in the context of the heatmap used (e.g., within text boxes), Hotjar will automatically render these data unrecognisable.
Purposes of the processing:
The aforementioned data must be processed so that the study platform can be evaluated and better adapted to users’ needs.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to Hotjar in the context of the cookie banner when you first access the study platform (or at a later date).
Recipient of the data:
The recipient of your anonymised data within the meaning of Art. 4 (9) GDPR is the service Hotjar (Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta). In this context, the provider Hotjar is acting as a processor on behalf of the Controller and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
Duration of storage:
Because only anonymised usage data without any personal reference will be processed, these data will be stored for an unlimited period of time but are expected to be erased after one year.
The Controller uses the service Varify.io in the context of the study platform. This is a service provided by Varify GmbH (Südliche Münchner Strasse 55, 82031 Grünwald). Varify.io enables the quick adaptation of the study platform, without the involvement of web developers, and the performance of what are known as A/B tests. A/B testing (also called split testing) is an online-marketing method in which two or more versions of a website or app are compared. The goal is to find out which version of the website or app users like better.
Processed data:
Purposes of the processing:
The aforementioned data must be processed so that the respective website can be displayed for you and the use of the respective website can be evaluated in anonymised form by means of cookies. The IP address is only needed to place the cookies required for the analysis.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to Varify in the context of the cookie banner when you first access the study platform (or at a later date).
Recipient of the data:
The recipient of the anonymous usage data within the meaning of Art. 4 (9) GDPR is the service Varify.io (Varify GmbH, Südliche Münchner Strasse 55, 82031 Grünwald, Germany). Because no personal data are transferred to Varify.io and no personal data are processed on our behalf by Varify.io, the conclusion of a data processing agreement is not necessary.
Duration of storage:
Because only anonymised usage data without any personal reference will be processed, these data will be stored for an unlimited period of time but are expected to be erased after one year.
To improve the presentation of the study platform, the Controller uses locally hosted Google web fonts (Google Webfonts). To display these fonts, the browser you are using will need to send your data to the hosting provider on whose servers the study platform is being hosted. This includes personal and other data.
Processed data:
Purposes of the processing:
The processing of the aforementioned data, in conjunction with the use of the locally hosted Google web fonts, allows the Controller to display the contents of the study platform in a uniform manner in different browsers and on different end devices.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (f) GDPR. The “legitimate interest” required for this is based on the Controller’s desire to provide a secure and smooth user experience of the study platform.
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the study platform’s hosting provider on whose servers the platform is being run. The Controller has commissioned Raidboxes GmbH (Hafenstrasse 32, 48153 Münster, Germany, www.raidboxes.io) with organising the hosting of the study platform. The services of Cloudflare Germany GmbH (Rosental 7, c/o Mindspace, 80331 Munich, Germany, www.cloudflare.com) are also used. In this context, both service providers are acting on behalf of the Controller as processors within the meaning of Art. 4 (8) GDPR and have accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
Duration of storage:
The stored data will be erased immediately after your access to the study platform has ended.
The Controller integrates Google Maps in the context of the study platform. This is an online map service provided by Google Ireland Ltd. (Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland) and integrated into the study platform via an interface (API). In this context, your personal data will be processed via the use of a technically non-essential cookie.
Processed data:
Purposes of the processing:
The aforementioned data must be processed so that the maps can be displayed for you in the context of the study platform. In this respect, the Controller uses the maps to show you the location of one or more study sites involved in conducting the study in which you are interested in participating.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of technically non-essential cookies related to Google Maps in the context of the cookie banner when you first access the study platform (or at a later date).
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the service Google Maps (Google Ireland Ltd., Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland). In this context, the provider Google Maps is acting as a processor on behalf of the Controller and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
In this regard, please note that Google Ireland Ltd. is a subsidiary of Google LLC, which has its place of business in the USA. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
Duration of storage:
The data collected by the technically non-essential cookies related to Google Maps will be stored for a period of 9–18 months. The data will then be automatically erased. You can make later adjustments to your chosen settings regarding the use of technically non-essential cookies related to Google Maps at any time in the context of the cookie banner on the study platform.
You can also prevent the use of the technically non-essential cookies by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
Google reCAPTCHA is used in the context of the study platform. This is a service designed to ensure that the data entered in the context of the study platform are being entered by a human being. The service provider is Google Ireland Ltd. (Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland).
Processed data:
Purposes of the processing:
The aforementioned data must be processed so that the service Google reCAPTCHA can verify whether the study platform is being used by a human being or an automated programme. The purpose of the tool is thus to prevent misuse of the study platform and spam.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to Google reCAPTCHA in the context of the cookie banner when you first access the study platform (or at a later date).
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the service Google reCAPTCHA (Google Ireland Ltd., Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland). In this context, the provider Google reCAPTCHA is acting as a processor on behalf of the Controller and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
In this regard, please note that Google Ireland Ltd. is a subsidiary of Google LLC, which has its place of business in the USA. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
Duration of storage:
The data collected by the technically non-essential cookies related to Google reCAPTCHA will be stored for a period of 9–18 months. The data will then be automatically erased. You can make later adjustments to your chosen settings regarding the use of technically non-essential cookies related to Google reCAPTCHA at any time in the context of the cookie banner on the study platform.
You can also prevent the use of the technically non-essential cookies by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
The Controller provides video content on the study platform and uses YouTube embedding and/or plugins in this context; YouTube is a video platform provided by Google Ireland Ltd. (Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland).
Processed data:
All videos are integrated in what is known as “privacy-enhanced mode”. This ensures that your personal data (especially your IP address) are only transmitted to YouTube if you actually play the video.
Purposes of the processing:
The aforementioned personal data must be processed so that the video content can be displayed and played in the context of the study platform. We incorporate video content to provide you with informational videos about specific studies, for example.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is granted by playing the embedded video in privacy-enhanced mode and thereby agreeing to your data being shared and processed by YouTube.
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the video service YouTube (Google Ireland Ltd., Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland). In this context, the provider YouTube is not acting as a processor on behalf of the Controller and therefore does not need to be obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
In this regard, please note that Google Ireland Ltd. is a subsidiary of Google LLC, which has its place of business in the USA. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
Duration of storage:
Because the browser you use to access the study platform automatically establishes a connection to YouTube’s servers after the video is played in privacy-enhanced mode, we cannot provide any information on the duration of storage. In this regard, please refer to YouTube’s Privacy Policy, which can be accessed at https://policies.google.com/privacy?hl=en.
To analyse user behaviour and adapt the marketing activities in the context of the study platform, the Controller uses the “Custom Audiences” remarketing feature and the “Facebook Conversions API”, or, collectively, “Facebook Remarketing” (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). Anonymous usage data collected via one or more technically non-essential cookies (“Facebook pixels”) are recorded, stored, and evaluated as part of the usage analysis if you have been forwarded to the study platform via a Facebook ad.
In this respect, the Controller can only see that someone clicked on an ad in the context of the social network Meta, was forwarded to the study platform, and reached a previously defined target page of the study platform (conversion page). The Controller is only informed of the total number of users who have clicked on the advertisement, and none of your personal data will be processed.
You can prevent the usage analysis described above by not clicking on any of the ads that the Controller has placed in the social network Meta or by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
In this regard, please note that Meta Platforms Ireland Ltd. is a subsidiary of Meta Platform Inc., which has its place of business in the USA. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to Facebook Remarketing in the context of the cookie banner when you first access the study platform (or at a later date).
To analyse user behaviour and adapt the marketing activities in the context of the study platform, the Controller uses the “Google Ads” remarketing feature (Google Ireland Ltd., Google Building, Gordon House, 4 Barrow St., Grand Canal Dock, Dublin 4, D04 V4X7, Ireland). Anonymous usage data collected via one or more technically non-essential cookies are recorded, stored, and evaluated as part of the usage analysis if you have been forwarded to the study platform via a Google ad.
In this respect, the Controller can only see that someone clicked on an ad in the context of Google Search, was forwarded to the study platform, and reached a previously defined target page of the study platform (conversion page). The Controller is only informed of the total number of users who have clicked on the advertisement, and none of your personal data will be processed.
You can prevent the usage analysis described above by not clicking on any of the ads that the Controller has placed in Google Search or by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
In this regard, please note that Google Ireland Ltd. is a subsidiary of Google Inc., which has its place of business in the USA. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to Google Ads in the context of the cookie banner when you first access the study platform (or at a later date).
To analyse user behaviour and adapt the marketing activities in the context of the study platform, the Controller uses the “Bing Ads” remarketing feature (Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland). Anonymous usage data collected via one or more technically non-essential cookies are recorded, stored, and evaluated as part of the usage analysis if you have been forwarded to the study platform via a Bing ad.
In this respect, the Controller can only see that someone clicked on an ad in the context of Bing Search, was forwarded to the study platform, and reached a previously defined target page of the study platform (conversion page). The Controller is only informed of the total number of users who have clicked on the advertisement, and none of your personal data will be processed.
You can prevent the usage analysis described above by not clicking on any of the ads that the Controller has placed in Bing Search or by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
In this regard, please note that Microsoft Ireland Operations Ltd. is a subsidiary of Microsoft Corporation, which has its place of business in the USA. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to Bing Ads in the context of the cookie banner when you first access the study platform (or at a later date).
To analyse user behaviour and adapt the marketing activities in the context of the study platform, the Controller uses the “TikTok Ads” remarketing feature (TikTok Technology Ltd., 10 Earlsfort Terrace, Dublin, D02 T380, Ireland). Anonymous usage data collected via one or more technically non-essential cookies are recorded, stored, and evaluated as part of the usage analysis if you have been forwarded to the study platform via a TikTok ad.
In this respect, the Controller can only see that someone clicked on an ad in the context of TikTok, was forwarded to the study platform, and reached a previously defined target page of the study platform (conversion page). The Controller is only informed of the total number of users who have clicked on the advertisement, and none of your personal data will be processed.
You can prevent the usage analysis described above by not clicking on any of the ads that the Controller has placed on TikTok or by disabling or incrementally restricting the automatic placement of cookies in the settings of the browser you are using. In this context, you can also manually erase cookies already stored on the end device you are using. However, please note that partially or completely disabling cookies in your browser’s settings may mean that you can no longer use the study platform or no longer use it in its entirety.
In this respect, please note that TikTok Technology Ltd. is a subsidiary of Beijing Bytedance Technology Ltd., which has its place of business in China. A transfer of data to China is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is given by agreeing to the use of the technically non-essential cookies related to TikTok in the context of the cookie banner when you first access the study platform (or at a later date).
The Controller uses the Calendly online scheduling tool provided by Calendly LLC (115 E. Main Street, Suite A1B PMB 123, Buford, Georgia, 30518, USA) to arrange and organise appointments (e.g., for telephone calls or virtual meetings). Calendly enables the Controller to easily and efficiently schedule and organise appointments.
Processed data:
Purposes of the processing:
The processing of the aforementioned data allows the Controller to quickly and efficiently arrange and organise appointments and to send you the information needed to attend the appointment in question.
Legal basis of the processing:
The Controller bases the lawfulness of this data processing on Art. 6 (1) (a) GDPR. Your consent is provided during the appointment booking process or by actively scheduling an appointment through the tool.
Recipient of the data:
The recipient of your personal data within the meaning of Art. 4 (9) GDPR is the Calendly service provider (Calendly LLC., 115 E. Main Street, Suite A1B PMB 123, Buford, Georgia, 30518, USA). In this context, the provider Calendly is acting as a processor on behalf of the Controller and has accordingly been obligated by the Controller, on the basis of a data processing agreement, to establish and maintain appropriate technical and organisational measures (TOMs) that protect your personal data.
In this respect, please note that Calendly LLC maintains its place of business in the United States. A transfer of data to the USA is generally not planned but also cannot be definitively ruled out. The explanations in the section titled “Data Transfers to Third Countries” therefore apply.
Duration of storage:
The processed personal data will be erased no later than 60 days after the respective appointment.
The Controller reserves the right to update this Privacy Policy with future effect to be able to adequately respond to changes in legislation, jurisdiction, or economic circumstances. Your rights as a data subject within the meaning of the GDPR will never be limited by a change to this Privacy Policy.
According to Art. 4 (7) GDPR, “controller” means the entity that determines the purposes and means of the processing of personal data. First and foremost, the controller determines what is processed, how it is processed, and for what reason. The controller is responsible for the processing and must ensure compliance with the regulations under data protection law.
According to Art. 4 (8) GDPR, a “processor” is the entity acting on behalf of the controller and commissioned by the controller to process personal data.
According to Art. 4 (1) GDPR, “personal data” means any information that can be attributed to a directly or indirectly identifiable natural person (“data subject”).
According to Art. 4 (2) GDPR, “processing” means all possible types of data processing. This includes, in particular, the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, linking, restriction, erasure, or destruction of personal data.
According to Art. 4 (1) GDPR, a “data subject” is the natural person to whom the data processed by the controller can be directly or indirectly attributed.
According to Art. 4 (9) GDPR, the “recipient” is the entity to whom personal data are disclosed, whether or not this is a third party.
According to Art. 4 (10) GDPR, a “third party” is any entity other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
According to Art. 9 (1) GDPR, “special categories of personal data” include, in particular, data concerning the health of the data subject. These data require greater protection.
According to Art. 4 (15) GDPR, “data concerning health” are personal data that are related to the data subject’s physical or mental health and that reveal information about the data subject’s health status.
According to Art. 4 (11) GDPR, “consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes in the form of a statement or other clear affirmative action (e.g., ticking a box provided for this purpose) signifying the data subject’s agreement to the processing of his or her personal data.
Do you still have questions? Feel free to give us a call!
Mon to Fri from 9 – 18 hrs
© Trials24 GmbH