Personal data protection policy for the use of the AlphaID platform

The AlphaID Platform, available at www.alphaid.de in English ((hereinafter "Plattform"), is provided by Grifols Deutschland GmbH (hereinafter "Grifols", "wir" or "uns").

The platform is used by us to support treating physicians and the University of Marburg in administratively processing orders for examinations of buccal mucosa swabs with regards to alpha-1 antitrypsin deficiency. The following data protection declaration provides information on the type and scope of the processing of personal data in the context of the provision and use of the platform.

1.- Responsible person and contact

Grifols Deutschland GmbH, Colmarer Straße 22, 60528 Frankfurt am Main, Germany is the data controller for the processing of personal data in the context of the provision and use of the Platform.

If you have any questions regarding data protection, please contact our data protection officer at the following e-mail address: dsb@grifols.com.

The responsibility of Grifols expressly does not extend to the processing of personal data within the framework of the examination procedure itself. The attending physician or the Philipps-Universität Marburg, Biegenstraße 10, 35037 Marburg are responsible for this. The department responsible at the Philipps-Universität Marburg for carrying out the blood test and the associated processing is the Clinic for Internal Medicine / SP Pneumology, Alpha-1-Antitrypsin Centre, Baldingerstraße, 35043 Marburg. Therefore, if you have any questions regarding data protection when carrying out the examination procedure, please contact this office(s).

2.- Content, scope, purpose, and legal basis of the processing of personal data

2.1.- Registration on the platform

The use of the platform requires prior registration of the doctor and the laboratory staff of the University of Marburg who are authorised to access the platform. During registration, identification and communication data are processed for the creation of an account and for your authentication. This includes:

In this respect, the data processing serves to provide the account as well as the clear identification of the user.

The processing of the data takes place on the basis of legal regulations that permit the data processing because it is necessary for the provision of the service (Art. 6 para. 1 lit. b DSGVO).

2.2.- Usage data

In the log-in records, the following user data is collected and stored for access management purposes each time a user logs in:

After completion of the usage process, the log-in data are stored for a period of 1 month for the purpose of abuse detection and tracking. We delete or anonymise the usage data including the IP addresses immediately as soon as they are no longer required for the aforementioned purposes.

The processing of the data takes place on the basis of legal regulations that permit data processing because it is necessary for the technical provision of the application to you (Art. 6 para. 1 lit. b DSGVO), or because we have a legitimate interest in ensuring the security and functionality of the web application and its proper use without this being opposed by an overriding interest of the data subjects (Art. 6 para. 1 lit. f DSGVO).

2.3.- For Grifols anonymous data on laboratory tests

No patient data identifiable to Grifols by either the attending physician or the University of Marburg is entered on the platform. It is anonymous information for Grifols (in particular an identification number (barcode, 14 digits) that only the attending physician can assign to a patient).

After completion of the laboratory examination, the laboratory results (without further identifiers) are added to the respective identification number by the University of Marburg, provided with the signature of the validating physician and returned to the respective treating physician as intended.

2.4.- Reports, Analysis

The University of Marburg produces regular reports for Grifols in which data on the examinations processed via the AlphaID platform are aggregated. These reports do not contain any patient data, but only information on the anonymised results of the examinations (result of the patient screening, allocation to the different genotypes) as well as administrative information (including the total number of samples sent in; indication that the sample was collected via AlphaID; location-specific allocation by postcode). These reports are analysed to evaluate the use of the platform and to design it according to needs.

Insofar as personal data is contained in the reports, the processing of this data is carried out on the basis of legal regulations that permit data processing because we have a legitimate interest in evaluating the use of the platform and designing it to meet requirements without this being opposed by an overriding interest of the data subjects (Art. 6 para. 1 lit. f DSGVO).

3.- Cookies

We only use so-called functional cookies, which serve the purpose of enabling certain functions of our internet-based platform. "Cookies" are small files that are stored on your end device with the help of the internet browser. These so-called "session cookies" are used to store certain technical data during the call-up of our platform, e.g. to determine whether the attending physician has logged in.

The legal basis for the use of these cookies is § 25 para. 2 TTDSG or Art. 6 para. 1 p. 1 lit. b DSGVO, as they are technically necessary for the use of our platform.

4.- Possible recipients of personal data

Occasionally, we rely on external service providers to provide the functionalities of our Platform described in this Privacy Policy, for example for the technical provision and maintenance of the Platform. These external service providers are carefully selected and regularly reviewed by us to ensure that your privacy is protected. The service providers may only use the data for the purposes specified by us. They are also contractually obliged by us to process your data exclusively according to our instructions and in compliance with applicable data protection laws.

5.- Duration of the storage of data

Unless otherwise described in this privacy policy, we generally delete personal data when the purpose for storing it no longer applies. With regard to registration data, this is usually the case when the registered doctor or employee of Marburg University deregisters from the platform vis-à-vis Grifols. A continuing purpose may exist in particular if the data is still needed to provide contractual services or to check and grant or defend against warranty and, if applicable, guarantee claims. We check at regular intervals whether the purpose of storage no longer applies or whether storage is still necessary.

6.- Rights of data subjects

Of course, we will provide you with the information pursuant to Art. 15 DSGVO upon request (in particular the data stored about you, the recipient or categories of recipients to whom data is disclosed, the purpose of storage, etc.).

In addition, you have a right to the correction of incorrect data and to the deletion, restriction of processing and portability of your personal data under the respective legal conditions. If you give us consent to process your data, you can revoke this consent at any time with effect for the future.

Furthermore, you have the right to lodge a complaint with a competent supervisory authority.

In cases where we process your data on the basis of our legitimate interests (Art. 6(1)(f) DSGVO), you have the right to object to this processing (Art. 21 DSGVO).

To exercise your rights and revoke your consent, you can contact our data protection officer at dsb@grifols.com. You also have the right to lodge a complaint with a data protection supervisory authority at any time.

7.- Update

We reserve the right to adapt the content of this data protection declaration at any time. This is usually done in the event of further development or adaptation of the platform used, which entails a change in data processing.

Status of the data protection declaration: February 2022