Home Page

Data privacy declaration

The Center for Psychotherapy Research (CPR) has many years of experience in the development, implementation and evaluation of technology-assisted interventions in psychosocial care. The programs and applications have been developed in close collaboration with our clinical partners and have proven to be technically stable and safe in a variety of studies.
Protecting the data of our users has the highest priority for our institute. Transparency regarding the processing of your personal data as well as the protection of your data are therefore particularly important to us.
With this statement, we are giving an overview on how personal data is collected and processed while using our website, and what you yourself can do to better protect your data.



I. Name and address of the responsible institution
The responsible institution within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
Center for Psychotherapy Research
University Hospital Heidelberg
Bergheimer Str. 54
D-69115 Heidelberg
Tel. ++49 6221-5638170
E-Mail: stephanie.bauer@med.uni-heidelberg.de

II. Contact to the Data Protection Officer
The data protection officer of the responsible person is:

University Hospital Heidelberg, Data Protection Officer
Im Neuenheimer Feld 672, 69121 Heidelberg
Datenschutz@med.uni-heidelberg.de

III. General information about data processing

1. What is personal data?

Personal data is any information that relates to an identified or identifiable real person. An essential aspect, therefore, is whether a reference to a real person can be made through the collected data. This includes information such as your name, address, phone number, and e-mail address. Information that is not directly related to your real identity - such as your favorite websites or the number of website users - are not considered personal data.

2. Scope of processing personal data

We only collect and use personal data of our users to the extent that is necessary to provide a functioning website, content and services. The collection and use of personal data of our users takes regularly only place with consent of the user. An exception are those cases in which prior consent cannot be obtained for reasons of fact and in which the processing of the data is permitted by law.

3. How do we collect and process information about you?

When you visit our web pages, our web servers temporarily store the connection data of the requesting computer for the purpose of system security, the web pages you visit, the date and duration of your visit, the identification data of the type of browser and the operating system used, IP Address and the website from which you visit us. Additional personal information such as your name, address, telephone number or e-mail address will not be collected unless you provide such information voluntarily, e.g. as part of a registration. You can visit this page without providing any personal information. Personal data are only collected if you voluntarily disclose them to us during your visit on our website.

3.1 Registration
You have the possibility of registering yourself on the website of the respective data controller by providing personal information. The personal data to be sent to the controller is derived from the respective input mask used for the registration. The personal data entered by you will be collected and stored solely for internal use by the controller and for own purposes.
By registering on the controller's website, your IP address (provided by your Internet service provider (ISP)) and the date and time of registration are stored. This data is collected as this is the only way to prevent misuse of our services and, if necessary, to use this data to investigate crimes and copyright infringements. In this respect, the storage of this data is required to secure the controller. These data are generally not transferred to third parties, unless there is a legal obligation to pass them on or their disclosure aids criminal or legal prosecution.
Your registration under the voluntary disclosure of personal data is necessary for the controller to provide you with content or services that, due to the nature of the case, can only be offered to registered users. Furthermore, your registration (in the privacy statement generator) serves to monitor the use of the copyrighted texts issued by us, as well as the verification of link setting and copyright naming, as well as our own documentation purposes. Registered persons are free to request the complete deletion of their personal data provided during registration from the database of the controller.

Upon request, the controller will provide you, at any time, with information about your personal data that is stored. In addition, at your request or notice the controller will correct or delete your personal data, as far as there are no legal storage requirements. The Data Protection Officer we refer to in this Privacy Policy and all employees of the controller are available for contact in this regard.

4. How do we use personal data, how do we share it?

If the disclosure of personal or business data (E-Mail addresses, names, addresses) is made possible as part of the website, the disclosure of these data takes place on an explicitly voluntary basis.
The consent to this can be revoked in writing at any time without giving reasons, and without causing you any disadvantage. All data are collected for research purposes only. Data relevant for the study will be stored in pseudonymized form, analyzed and may be transferred, if that was part of the consent form. If required for the purpose of the study, data will only be transferred to scientists in a pseudonymized form.

Emails are sent via a contact form. If you send us such a message, your personal information will only be collected to the extent necessary for an answer. The email will be sent unencrypted. We use the personal data provided by you solely for the purpose of technical administration of the web pages and to research the scientific questions.
A dissemination, sale or other transfer of your personal data to third parties does not take place, unless you have explicitly consented to it. A given consent can be revoked at any time with effect for the future.

5. How long will your data be stored?

Basically, we store all the information you submit to us until the respective purpose is fulfilled. If a longer storage period is stipulated by law, storage takes place within this framework.
If you no longer want us to use your data, we will of course comply with this request immediately (please contact the address given under "Contact").
The data are anonymized as soon as the purpose of the research allows it, and deleted after study-related storage obligations expire.

6. When will your data be deleted?

Stored personal data is deleted if you revoke your consent to the storage, if the storage of the data is no longer necessary for the fulfillment of the purpose pursued with the storage, or if the storage is inadmissible for other legal reasons. Data for billing purposes and accounting purposes are not affected by a request for cancellation.

7. Use of cookies
As part of your visit to our pages we use so-called cookies. These are small text files that are stored on your computer. Cookies help us to determine the frequency of use and the number of users of our websites, as well as to make our offers as comfortable and efficient as possible for you.
The CPR deposits so-called session cookies on the user's computer for the respective period of program use. Session cookies are text files that are necessary for the full use of the functions of the programs and are stored on the computer for the duration of program use. After use of the program, these are deleted again from the user's PC, that is no cookies remain on the computer.
Please note that a deactivation of cookies limits the display and use of the website.
Cookies required for electronic communication or for the provision of specific, desired functions (e.g., the shopping cart function) are saved according to GDPR Art. 6 (1)(f). The website provider has a legitimate interest in saving cookies to ensure an error-free and optimized presentation of its services.

8. What do we do to ensure safety of data processing?
Our institute takes all the necessary technical and organizational safety measures in order to protect your personal data against loss and abuse. Thus, your data is stored in a secure environment, which is not accessible to the public.
The following components ensure a high standard of data protection and data security:

  • Hosting provider:
    The CPR does not use any external hosting provider. The applications of the CPR are run on internal, firewall-protected servers of the institute. Depending on project-related requirements the applications are hosted on separate servers.
  • Programming enviornment:
    The CPR uses LAMP stacks for programming environment, which allow implementation of applications with highest security standards. The systems are continuously enhanced and monitored for security.
  • Server architecture:
    The CPR uses Linux systems with encrypted partitions. To keep downtimes at a minimum, two systems each are kept redundant. Each project has separate databases. Personal and clinical data are encrypted and stored separately. Software development and the removal of software errors are conducted on test systems. Testing-, production-, and deployment environments are separated.
  • Firewall:
    Data traffic is protected by hardware and software firewalls, which only allow http and https traffic from the Internet, in order to block, for example, denial-of-service attacks.
  • Encryption:
    The CPR uses up-to-date encryption techniques (TLS) for data transmission and storage. This means that the communication between your computer and the servers of our institute is carried out using an approved encryption method, if your browser supports this technology. You can recognize an encrypted connection within the address line of your browser, for example when the "http: //" portion of the URL changes to "https: //", and your browser displays a lock symbol next to it. If SSL or TLS encryption is enabled, the data you submit to us cannot be read by third parties.
  • Audit trails:
    Log-files in the data management system can be used to track data entries and changes within the system, i.e. it is possible to retrospectively verify if and when data has been entered, modified or deleted.
  • Data back-up:
    Application data is backed up daily. A complete back-up secures the data on a back-up server in an encrypted form. Weekly back-ups are stored to an external data storage device, also encrypted, which is kept physically separate, secure and inaccessible to third parties.
  • Performance and availability:
    The production environment includes mirrored servers that provide a high availability of programs for users (primary-replica systems). The dimensioning of deployed hard- and software components depends on individual project requirements and provides high speed of applications. The reliability of services is monitored continuously.
  • User authentication:
    The program login is password protected with user names, and pseudonyms or codes, respectively.
  • Communication:
    Some programs use emails and SMS as communication devices. Personal information is used and stored only if necessary for program operation. Email addresses and phone numbers are stored encrypted.
  • Data inspection:
    According to predefined roles only certain staff members, who are subject to German data privacy laws, are able to access data after appropriate authentication with the system.
  • Use of analytics software:
    The CPR does not use web analyses services of third parties (such as Google Analytics) or save cookies from third parties.

If you would like to contact us via email, please note that the confidentiality of the information you submit is not guaranteed. The content of emails can be viewed by third parties. Thus, we recommend that you do not send us any confidential information via email.

9. These are your privacy rights
Within the scope of the applicable legal provisions, you have the right to request information, free of charge, about your stored personal data, their origin as well as possible recipients of your data and the purpose of data processing (Art. 15 GDPR) and, where applicable, you have the right to have incorrect data corrected (Art. 16 GDPR). You have the right to have your personal data deleted (Article 17 GDPR), and the right to restrict processing according to Art. 18 GDPR. You have the right to oppose (Article 21 GDPR) as well as the right of data portability of data provided by you according to Art. 20 GDPR. With regard to the right to obtain information and the right to erase, the restrictions under §§ 34 and 35 BDSG (Germany) apply.
In addition, in the case of violations of data protection law, you have the right of appeal to the responsible supervisory authority (Art. 77 DSGVO and §19 BDSG Germany). Responsible supervisory authority in data protection questions is the state data protection officer of the federal state in which our institute is located. A list of the data protection officers as well as their contact data is provided by the following link:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links....

10. How can you revoke given consent to data processing?
Many data processing operations are only possible with your explicit consent. You may, at any time, revoke existing consent in writing (e.g. by email). The legality of data processing until revocation remains unaffected of such action.

11. Contact information for questions, complaints, assertions of your rights
If you have any questions, complaints or want to assert your privacy rights, you can always contact us at the following address:

Center for Psychotherapy Research
University Hospital Heidelberg
Bergheimer Str. 54
69115 Heidelberg
Tel. 06221-5638170
E-Mail: stephanie.bauer@med.uni-heidelberg.de

In case of unlawful data processing you have the right to complain to the following supervisory authority:

Der Landesbeauftragte für den Datenschutz und
die Informationsfreiheit Baden-Württemberg
Post Office Box: 10 29 32, 70025 Stuttgart
Königstraße 10a, 70173 Stuttgart
Tel.: 0711/61 55 41 – 0
Fax: 0711/61 55 41 – 15
E-Mail: poststelle@lfdi.bwl.de
Website: http://www.baden-wuerttemberg.datenschutz.de

12. Change of privacy policy

This data privacy declaration is subject to change. Adjustments are announced on this page in due time.

Version: 05/09/2018