ECCO IT HUB (= ECCO DATABASE) – PRIVACY POLICY ACCORDING TO GDPR

Version:  February 2024

In this privacy policy, we explain all processing activities taking place in our system named “ECCO IT HUB”.

1. Joint Controllership

ECCO IT HUB consists of the following organisational entities with their registered seat in 1030 Wien, Ungargasse 6/13, and is based on a joint controllership agreement according to Article 26 General Data Protection Regulation (“GDPR”):

  • ECCO – European Crohn’s and Colitis Organisation (“ECCO”), registered in the Austrian Register of Associations (ZVR) under the registration number 468755685, as well as its daughter entity:
  • OCEAiN – Organisation, Congress, Emotion, Association, iNnovation GmbH (“OCEAiN”)

(together hereafter referred to as “ECCO IT HUB” or “we”).

 a. Allocation of Data Protection Tasks / Duties (under Art. 26 GDPR):

except for the following data protection tasks which are done separately:

  • selection and assignment of data processors
  • processing of notifiable data breaches

all other data protection tasks are done jointly.

 b. Description of Joint Data Processing:

The ECCO Database constitutes the core for all projects on the side of ECCO Association as well the side of OCEAiN GmbH, who is in charge of organising the annual ECCO Congress, the e-Learning platform and publishing the ECCO News magazine.

As the ECCO Congress constitutes the annual meeting of the ECCO Members and other stakeholders in the field of inflammatory bowel diseases, the ECCO Database has a significant intersection set of data subjects as the same data subjects can be ECCO Members and Congress Delegates. 

The data subjects in the ECCO Database are health care professionals, pharma industry representatives, patient representatives and students in the field of inflammatory bowel diseases with an interest in both ECCO Association activities and ECCO Congress and e-Learning activities. In addition, the ECCO Database captures press contacts, as well as employees and contact persons of tour operator agencies booking group registrations and of supplier companies, which are contracted to implement projects of ECCO and OCEAiN.

c. Means of Joint Data Processing:

With the increasingly enhanced digitalisation of the joint data processing operations over the past years, the ECCO Website with a Login-Area called the ECCO Portal constitutes the main entrance door to all activities of ECCO and OCEAiN.

The ECCO Portal Account is the “front” side entrance door to and, after personal Login-In, the front side display of the respective personal data-set captured in the ECCO Database.

As soon as an ECCO Portal Account holder applies for ECCO Membership or engages in another activity, joint processing takes place in the ECCO Database: the use of synergy effects in data harmonization also aims to facilitate access of data subjects to activities within the larger framework of ECCO IT Hub (e.g. distribution of our newsletters, promotion of our Congress and educational/scientific activities, access facilitation via the publisher/distributor of our publications). 

Depending on the status of the data subject (e.g.: Membership status, Congress Registration statutes, Scientific Reviewer Status), the data subject can access various online tools (e.g.: online application process per open call, registration process for workshops or ECCO Congress, industry webshop, voting function in the App) and various levels of online content (e.g.: applications received for internal or scientific review, e-Learning material, meeting documents).

Most of the functionalities are directly provided by the ECCO Database suppliers and do not need data transfers to other suppliers.

The ECCO Website and the ECCO Database are hosted on a rented ECCO Server space in Austria, in Germany and in Switzerland. The EU Commission has issued an adequacy decision for Switzerland.

The ECCO App uses servers located in the EU that are provided by AWS for the hosting of its content management system. An adequacy decision has been issued by the EU Commission for the US. AWS is certified in accordance with the EU-U.S. Data Protection Framework, on which the EU adequacy decision is based, and is therefore subject to the scope of the adequacy decision.

Additional Platforms and technology needed are solved with a single-sign on technology with the ECCO Database, which are in particular

  • the ePayment tool used to process online credit card payments for ECCO Membership and ECCO Congress Registrations.
  • the e-Learning platform which is accessible to all ECCO Members and also to health care professionals as ECCO Portal Account holders without active ECCO Membership up to the age of 35. The single-sign on mechanism is based on an age check, which takes place within the ECCO Database before the access interface is enabled to the e-Learning Platform.
  • the ECCO App: upon installation of the ECCO App (offering a dedicated section for ECCO Association and another dedicated section for the annual Congress) on the data subject’s mobile device, first name, last name and email address is shared with the App provider company to allow the single-sign-on mechanism. In case of additional consent of the data subject chosen in the settings of the App, the personal status (of Membership or Congress Delegates) can be shared in order to be visible for a chat-function tool and to allow for voting functions.

In addition, two further joint data processing platforms are used to facilitate project management and communication:

  • the ECCO Office inhouse server
  • the eNewsletter Mailing Platform

d. Legal Basis of Joint Data Processing:

The data transfer between the joint controllers is based on legitimate interests (Art 6 para 1 lit f GDPR). The legitimate interest is the processing of personal data within the organisational entities for internal management purposes of the data subjects.

2. Categories of data processed & data storage time:

a. ECCO Website Visitors

ECCO IT Hub processes the IP address of ECCO Website visitors and cookie information chosen by you and as explained in the cookie banner and cookie data protection information:

  • The IP address is transmitted with every server request. ECCO IT Hub and its provider of statistical services do not store IP addresses permanently, but use them for session identification purposes and to prevent attacks only. The following information will be stored in the server logs: the IP address of the requesting computer, together with the date, time, which file is requested (name and URL), what amount of data is transferred to you, a message as to whether the request was successful, identification data of the browser used and the operating system used, as well as the website from which access was made (if access is via a link).
  • During your visit to the ECCO Website, some information is collected and analysed for web controlling purposes. This information is provided by your browser. The following data are collected:
    • Requests (file name of the requested file) (e.g., de/index.html)
    • Browser type/browser version (e.g., Google Chrome, Mozilla Firefox, Microsoft Edge)
    • Browser language (e.g., English)
    • Operating system used (e.g., Windows 10)
    • Inner resolution of browser window
    • Screen resolution
    • JavaScript activation
    • Java on/off
    • Colour depth
    • Referrer URL (the previously visited web site)
    • Time of access
    • Clicks
    • Total orders, if any
    • Content of forms, if any (in the case of text fields, e.g. name and password, only the information “completed“ or “not completed“ is transmitted)
  • The ECCO Website relies on several so-called cookies. Cookies are text files that are stored on your computer or mobile device, regardless of whether they are personal or not. They serve to recognize the website user and store temporary information. Without your consent, we only use cookies that are technically necessary to display the website. Only if you give us your consent will we set cookies for other, non-technically necessary purposes.
    • Use of technically necessary cookies - In order to enable interaction with us via our website, it is necessary to store the cookies contained in the following link on your device (e.g. computer, mobile phone or tablet) for the duration specified there for the purpose described there and also to read them. The cookie is stored on your device on the legal basis of Section 165 Paragraph 3 TKG for the purpose of displaying the website, as this is a service you have expressly requested in accordance with Section 165 Paragraph 3 TKG.
  • The ECCO Website uses Matomo Analytics software, which relies on cookies as well. They are stored on your computer and generate information for the analysis of the ECCO webpages used by you (including your IP address in anonymised form), which is stored on a server located in Austria.

The provision of the data listed above is neither legally nor contractually required and is not necessary for the conclusion of a contract. You are under no obligation to provide this information. If you do not allow cookies to be set and read in your browser, we will not be able to display certain features of the website to you.

Storage time

ECCO IT Hub of course also observes the principle of storage limitation for personal data.

  • IP address of ECCO Website visitors: The server logs are saved in order to be able to check the system security, to administrate the website technically and to be able to optimize the offer. The server logs are stored for the duration of 3 months. After this period the identity of the user can no longer be determined, even by ISPs.
  • Pseudonymised IP address storage in the Matomo Analytics software of the ECCO Website: 24 months

b. ECCO Portal Account Holders:

ECCO IT Hub processes the following personal data as provided by you in setting up an ECCO Portal Account and choosing to participate in further interactions (please refer to the section 3 below, which describes the different categories of interaction from the perspective of data subject types) :

  • Basic information required: first name, last name, date of birth/ age, email, nationality
  • Further optional information – depending on activity or project: 
    • title, address(es), phone number(s), postal address(es), fax, gender identity, profession, place of work, professional specialization, expertise & particular areas of interest, HCP (health care professional) status; ORCID number
    • biography and photo – if shared by you via portal profile
    • your ECCO Membership status
    • disclosures of potential conflicts of interest
    • questions, answers & votes submitted via the Q&A tool provided in the ECCO App
    • passport details for congress invitation letters
    • bank transfer andreimbursement data, invoicing data, pseudonymised Credit Card data
    • The election process generates a ranking result which is kept confidential within ECCO Office archives. 
    • applications to open calls, event and project participation(s)
    • reviewer status / availability
    • In addition, the scientific review process generates a review result for the submitters of abstracts and applications for fellowships and grants which will be stored in connection with the abstract submitted via the submitter’s account.
    • E-QUALITY data (supported by unrestricted grants)
    • portrait pictures and event photos and film footage

Storage time

ECCO IT Hub of course also observes the principle of storage limitation for personal data and will process the following data of Portal Account Holders until withdrawal of consent, but not longer than for 7 years:

  • Beyond that time, ECCO IT Hub will only process data for association archive purposes (such as name, photographs and video material).
  • Personal (non-scientific) supporting documents (such as letters of intent, CVs, publication lists), submitted in the context of applications to open calls, event and project participation(s)are stored not longer than 3 years.

c. ECCO App data users (“ECCO IBD"):

ECCO App processes the following data:

  • If you installed the App without any further sign-in and consent in the app:

information related to end users’ personal devices and network including microphone and camera information, CPU status, memory status, battery status, system version, phone model, phone signal level, received signal strength indicator (RSSI), network type, user attributes and channel attributes.

  • If you sign in with your ECCO Portal Account in the ECCO App, the following categories of data are processed in the ECCO App:

first name, last name, email address, password (encrypted), title, job title, company, country, biography, picture, social media handles, website URL, address, phone number and other profile information, chat messages, chat participation for sessions and topics, social wall posts and comments, questions, votes and ratings submitted in sessions, moderated sessions, bookmarks of programme items, notes taken,

In addition, as a signed in user, you can create appointments in the respective ECCO Congress App/ My Congress / Programme section. If you agree to be “visible”, other ECCO App users can find, contact and invite you to a meeting.

Storage time

  • App usage starts upon installation
  • Duration:
    • Due to Container App (Association Usage), App continues to be on the phone
    • Event will be unpublished (in alignment of EACCME accreditation / 90 days after event – no download possible anymore) and deleted after 36 months.
    • Storage time of log data on Conference Compass side = AWS servers as well after deinstallation (24 months). 
  • App storage time on phone ends with deinstallation

If you click a link in the app that leads to ECCO Website, data processing as described in the following section (“Categories of data processed of ECCO Website Visitors & data storage time”) will be processed.

3. Purpose, Legal Basis and Data Subject Groups:

Within the data processing of ECCO IT HUB as joint controllership described in Sections 1 and 2 above, you as ECCO Portal Account holder can choose to participate in various interactions and to assume “particular roles”  as listed in the table below.

The following section aims to provide an overview on the data-processing purposes and respective legal basis from reader-friendly perspective according to the roles that you can choose.

As ECCO IT HUB may receive your personal via a contact person in the case of group registration, nomination and submission processes, the overview table below also shows for which roles this can be the case. For data received by third parties Article 14 of the GDPR stipulates that you can separately identify in the privacy policy the source purpose, legal basis and data categories.

ECCO IT HUB solely processes your personal data for the purpose of:

  • centralised and up-to-date data administration of ECCO Membership, Congress and event participations as well as stakeholder status in order to avoid scattering loss of up-to-date contact details among the business units of the joint data controllers
  • facilitating communication among stakeholders of the IBD Community (= the data subjects in the ECCO Database) and making relevant data visible via the ECCO Website and the ECCO App (including the display of names and affiliations of Congress speaker and ECCO Officer and the disclosure of conflicts of interest, names and affiliation)
  • the collection and selection process with respect to open research calls, open manuscript-project calls and open calls for positions in ECCO
  • the collection of nominations for educational activities or for projects for IBD Intensive Course for Trainees and N-ECCO School held at the annual ECCO Congress 
  • facilitating the whole process of submission, review and publication of scientific abstracts of the annual ECCO Congress as well as facilitating the scientific review of ECCO Fellowships and Grants application
  • conducting statistical analyses and reports based on legitimate interest
  • historic self-documentation of ECCO (especially with respect to the association and congress history)

These purposes translate into the following specific processing per subject group:

ECCO Members

  • ECCO Membership administration 

contractual basis

  • ECCO Membership confirmations to OUP for JCC reductions or waivers for open access fees

contractual basis

Data received from third parties (Article 14 of the GDPR):

Membership Group Registrations

    • Source of the data: tour operator agencies booking group memberships
    • Purpose: invitation to pre-paid ECCO Membership
    • Legal Basis: consent of data subject to tour operator agencies booking group registrations; these tour operators are under a contractual obligation with OCEAiN to collect your consent for this registration in advance.
    • Data categories processed: first name, last name, email address and country

 

ECCO Meeting participants & networking

  • ECCO Meetings organisation (such as ECCO Autumn Meetings, ECCO Meetings at UEGW, Bi-annual Council of National Representatives Meeting) administration (consent) & reimbursement procedure 

contractual basis

 

  • Collaboration with Partner Societies and Global Friends of ECCO

(legitimate interest in maintaining contact and communicating)

  • ECCO National Study Group meeting 

Consent (Art 6 para 1 lit a GDPR)

ECCO Learners & e-Learning contributors

  • ECCO e-Learning content development & publication 

depending on contributor status: consent, contractual basis

  • ECCO e-Guide content development 

Consent (Art 6 para 1 lit a GDPR)

  • ECCO e-Learning access administration and statistics

contractual basis (legitimate interest)

  • ECCO Educational Workshop registration 

contractual basis

 

Data received from third parties (Article 14 of the GDPR):

Nomination process of the course candidates:

  • for the IBD Intensive Course for Trainees
    • Source of the data: National Representatives of ECCO Country Members
    • Purpose: invitation to free-of-charge educational course at ECCO Congress
    • Legal Basis: consent of data subject to respective ECCO National Representative submitting nominations for this course; legitimate interest of data subject to be admitted to this selective course.
    • Data categories processed: first name, last name, email address, city, country, years of experience, letter of intent
  • for the N-ECCO School
    • Source of the data: N-ECCO National Representatives of ECCO Country Members
    • Purpose: invitation to free-of-charge educational course at ECCO Congress
    • Legal Basis: consent of data subject to respective ECCO National Representative submitting nominations for this course; legitimate interest of data subject to be admitted to this selective course.
    • Data categories processed: first name, last name, email address, city, country, phone number

Applicants to open ECCO Calls

  • ECCO Organs elections - application collection 

(pre-contractual basis)

  • ECCO Organs – internal and public communication

(contractual basis)

  • Applications for open JCC and ECCO News positions

(pre-contractual basis)

  • ECCO Fellowships and Grants - application collection 

(pre-contractual basis)

  • ECCO Young Researcher Award – application collection

(pre-contractual basis)

  • ECCO Manuscript application collection (Guidelines, Topical Reviews, Scientific Workshop Papers, Position Statements) 

(pre-contractual basis)

  • Acknowledgment of Y-ECCO contributors

Consent (Art 6 para 1 lit a GDPR)

ECCO Project participants

  • ECCO Disclosure policy of potential conflicts of interest

(contractual basis)

  • ECCO Manuscript development (Guidelines, Topical Reviews, Scientific Workshop Papers, Position Statements) (consent)

Consent (Art 6 para 1 lit a GDPR)

  • ECCO CONFER project case proposal and similar case collection 

Consent (Art 6 para 1 lit a GDPR)

  • E-QUALITY project publications

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

ECCO Reviewers

  • Expert invitations to review ECCO Congress Abstracts as well Fellowships and Grants

legitimate scientific interest

  • Applications to the ECCO Fellowship and Grants Reviewer Database

Consent (Art 6 para 1 lit a GDPR)

·        ECCO Fellowships and Grants – scientific review

Consent (Art 6 para 1 lit a GDPR)

  • ECCO Congress Abstracts – scientific review

Consent (Art 6 para 1 lit a GDPR)

  • Acknowledgment of the Reviewers of ECCO

Consent (Art 6 para 1 lit a GDPR)

ECCO Congress Abstract Submitters / Selected Presenters

  • ECCO Congress abstract submission system (consent)

Consent (Art 6 para 1 lit a GDPR)

  • ECCO Congress abstract and programme publication on the ECCO App, ECCO Website, ECCO Virtual Congress platform & printed matters 

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

  • ECCO Congress poster presentations: the consent to be contacted via ECCO Virtual Platform by delegates with regards to their e-poster  

Consent (Art 6 para 1 lit a GDPR)

Data received from third parties (Article 14 of the GDPR):

Congress Abstract submission process for an author group:

    • Source of the data: Abstract submitter
    • Purpose: participation in the abstract selection for Abstract presentations at the ECCO Congress
    • Legal Basis: consent of data subject to submitting author of the author group; legitimate interest of data subject to participate in this scientific abstract selection.
    • Data categories processed: first name, last name, email address, institute, department, city, country, conflicts of interest

Congress Faculty

  • ECCO Disclosure policy of potential conflicts of interest

 

  • ECCO Congress programme publication on the ECCO App, ECCO Website, ECCO Virtual Congress platform & printed matters 

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

  • ECCO Congress faculty registration 

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

  • ECCO Congress travel bursary reimbursement procedure 

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

Congress Participant

  • ECCO Congress delegate registration 

contractual basis

  • ECCO Virtual Congress access administration 

contractual basis

  • Onsite access control via badge scanning and voting via ECCO App 

contractual basis

  • Voting via ECCO App – e.g.: for educational courses

Consent (Art 6 para 1 lit a GDPR)

  • ECCO Congress CME accreditation and administration – including tracking

Consent (Art 6 para 1 lit a GDPR)

  • ECCO Congress onsite speaker centre 

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

  • ECCO Congress industry badge scanners 

Consent (Art 6 para 1 lit a GDPR)

Data received from third parties (Article 14 of the GDPR):

Congress Group Registrations (Article 14 of the GDPR):

    • Source of the data: tour operator agencies buying e-vouchers which they sent to their delegates to be activated
    • Purpose: invitation to pre-paid ECCO Congress Registration
    • Legal Basis: consent of data subject to tour operator agencies booking group registrations; these tour operators are under a contractual obligation with OCEAiN to collect your consent for this registration in advance.

Data categories processed: first name, last name, company, email address and country, badge-pick-up

Corporate & Business Partners

  • ECCO Congress industry webshop and sponsor & exhibitor administration including exhibition build-up companies 

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

  • ECCO Congress Exhibitor & Sponsorship management such as freight forwarding company, Congress Centre 

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

  • ECCO supplier and employee contact administration 

(pre-)contractual basis (Art 6 para 1 lit b GDPR)

Contributors & Audience of “ECCO Channels” (ECCO Website, e-Newsletter, ECCO News)

  • Publication of ECCO News 

Consent (Art 6 para 1 lit a GDPR)

  • Promotion of ECCO Congress and Association activities 

depending on ECCO Membership or Congress Participant status: legitimate interest, contractual basis, consent 

  • ECCO Website statistics for internal market research purposes 

Consent according to cookie banner

  • ECCO Website security measures and fraud prevention (consent)

Legitimate interest

  • ECCO App installation by users and statistics reporting by ECCO IT Hub 

Consent according to cookie banner

  • Closed virtual networking groups in the ECCO App

Separate consent via sign-in functionality in the App

Satellite symposia speaker information received from event organisers (Article 14 of the GDPR):

    • Source of the data: sponsor agencies organising satellite symposia
    • Purpose: ECCO Congress programme publication – speaker presentation on faculty webpage
    • Legal Basis: consent of data subject to sponsor agencies; these agencies are under a contractual obligation with a corporate sponsor to collect your consent in advance of publishing your speaker bio and picture
    • Data categories processed: first name, last name, speaker biography and picture 

4. Photo and Media policy (relevant for all data subject groups mentioned above):

    • Portrait pictures submitted by data subjects themselves or taken by the ECCO photographer(s) are based on your explicit consent (Art 6 para 1 lit a GDPR), which can be withdrawn according to point 7 below.
    • Fellowships, Grants and Award Winner pictures: ECCO Congress slides, website, promotional material and for the ECCO News publications
    • As event organisers, ECCO and OCEAiN reserve the right on their legitimate interest (Art 6 para 1 lit f GDPR) to use ECCO Congress photos and film footage of the official ECCO photographers and film team (as also stated in the ECCO Congress registration terms and conditions) as well as to use photos of other ECCO events in which you might be captured. Should you wish to object to the use of a specific photo or film footage, you can address the ECCO Office as outlined in point 6 below.

These photos and film footage are intended for reporting about the event on the ECCO Website, ECCO App, the e-Learning Platform of ECCO, in the ECCO eNewsletters, in promotional material (such as Congress break slide) and in printing material (such as the ECCO Anniversary Book series, posters and flyers). 

 5. Automation-assisted decision making

We would like to inform you that no data processing takes place within the meaning of Article 22 GDPR. This means: We will not take a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you; any decision with a corresponding effect will be made by a natural person.

 6. Data recipients and sub-processors:

In order to initiate, maintain and administer your data according to the respective purpose, it is necessary for us to disclose your data to the following recipients for the following purposes. This disclosure may be made by transmission, dissemination, or any other form of making available.

In order to adequately fulfil the intended purposes listed above, ECCO IT Hub contracts primarily data processors based in the European Union – including but not limited to: 

Recipient

Purpose

Location

COVR / Netropolix 
https://www.netropolix.be/

customer management system of the ECCO Database

Belgium

SOL4
https://www.sol4.at/ 

ECCO Website Support

Austria

Matomo Analytics
https://matomo.org/

Website Statistics

 

EU server providers & local IT support

 

Austria, Germany and Switzerland

Conference Compass
https://www.conferencecompass.com/

ECCO App software including ECCO Congress onsite voting

Netherlands

Rapidmail
https://www.rapidmail.de  

ECCO eNewsletter distribution

Germany

PAYONE 
https://www.payone.com/DE-en

ePayment system on the ECCO Website

 Austria and Germany

acconomy Software GmbH: 
www.acconomy.at 
and BMD / Finmactics
https://www.bmd.com


as bookkeeping system

 

Austria

Tax advisor & bank

 

Austria & branch of respective congress destination

CGS Clinical Guidelines Services
https://www.guideline-service.de/

Guidelines Platform

Germany

Oxford University Press

publisher of JCC

UK

GTN https://gtn-solutions.com/

e-Learning platform support

Austria

IBDiM Ltd. (research unit of ECCO) and its sub-processor Persei
https://perseivivarium.com/ 

E-QUALITY project implementation

 

Austria / Spain

H82 https://www.h82.eu

ECCO Congress Speaker Centre

Austria

Proddigi https://www.proddigi.com/

ECCO (Congress) film team

Spain

Film Factory

ECCO (Association) film team

Slovenia

Rainer Mirau 
https://www.rainermirau.at/ 
Martin Hörmandinger
https://www.mh-photography.at/

ECCO (Congress) photographer

 

Austria

Printing companies

 

Austria

IML

freight forwarding company

Austria

Congress centre of the ECCO Congress destination

 

For direct “ordering” of Sponsors and Exhibitors

Respective ECCO Congress destination

The ECCO Website, the ECCO Virtual Congress platform and the eNewsletter might contain news items of partner organisations which feature external links: the privacy policy and the terms and conditions of the ECCO IT HUB do not apply to these external websites, which need to be consulted separately for cookie and data protection policies.

  • Non-European recipients and sub-processors:
    • In case applications are submitted to the scientific review in the context of Fellowships and Grants application reviews and the Congress Abstract reviews, this process includes individual experts from outside of Europe.
    • In case Educational Workshops take place outside of Europe, the registration lists for this respective Workshop are shared with the local organiser.
    • American Express (via Pay one)
    • Zoom https://www.zoom.us/ as ECCO online meeting and webinar tool
    • Metafusion https://www.meta-fusion.com/ using AWS for live streaming of the scientific programme of the ECCO Congress.
    • Kuoni using Eventsair https://eventsair.com/ with Centium Software PTY LTD in Australia as sub-processor: ECCO is arranging accommodation for the faculty members with the Kuoni housing agency which needs contact details to confirm bookings with the respective hotel. 
    • The ECCO Virtual Congress and event platform relies on some US-based IT Services as well as on European IT Services with US-based sub-processors:
      Zoom https://www.zoom.us/ as online back-end for ECCO Congress Speakers in case of virtual solution
      Cloudflare https://www.cloudflare.com/ as peak-time server capacity support
      Slido https://www.sli.do/ as virtual solution for Q&As
      Vimeo https://www.vimeo.com/ as streaming channel on the Virtual Congress Platform
      Pubnub https://www.pubnub.com/ as networking extension tool on the Virtual Congress Platform
    • The ECCO Virtual Congress platform - and the online exhibition in particular - also features links to external company websites and chat tools – which are declared as such. This privacy policy and the terms and conditions of the ECCO Virtual Congress do not apply to these external websites, which need to be consulted separately for cookie and data protection policies. These websites are not within the responsibility of ECCO and OCEAiN, who may therefore not be held liable.
    • In case you explicitly consent to badge scanning in the ECCO Congress exhibition or satellite symposia, we transfer your personal data (Name; Contact details) to the exhibition or sponsor companies of the congress, some of which do have their head-quarters in the USA. The current list of exhibitors (which can change from year to year) can be found via the annual Congress Website (accessible via https://www.ecco-ibd.eu/congresses-and-events.html )  in the exhibitor section. You may withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • DocuSign: https://www.docusign.com/de-de/datenschutzerklaerung/datenschutz

7. Data processing to assert legal claims and conduct proceedings before authorities (including courts)

a. Data categories, purposes and legal bases

ECCO IT HUB may also process your data for the purpose of asserting, exercising or defending legal claims and for handling proceedings before authorities (including courts) to protect its legitimate interest (Article 6 (1) (f) GDPR). This legitimate interest lies in enforcing existing and defending against non-existent claims as well as in handling official (including judicial) proceedings to protect the legal position of ECCO and OCEAiN.For this purpose, we also store your consent as outlined in Section 3 to protect this legitimate interest in proving your consent, i.e. to defend legal claims. In order to assert legal claims and to carry out proceedings before authorities (including courts), ECCO IT HUB processes all categories of data that are necessary for this. This potentially includes all categories of data from you that is already processed for other purposes as well as data that ECCO IT HUB does not collect from you (see Section b in detail). 

b. Collection of data from other sources (information in accordance with Art. 14 GDPR)

For the purpose of asserting, exercising or defending legal claims and conducting proceedings before authorities (including courts), we also collect your data from other sources: Data category: contact details – publically accessibleSource: Website of organisationPurpose: extrajudicial contact, provision of contact details to authorities (including courts)  Data category: data retrieved form public registers, mainly contact details of and roles in a legal entity, data of running or closed proceedingsSource: commercial registers, association registers, land title registers, executive registers

Purpose: to assert legal claims and conduct proceedings before authorities (including courts)

c. Storage period, processing period 

ECCO IT HUB processes data required to assert legal claims for this purpose for up to 30 years after the end of the business relationship.In the event of official or judicial proceedings, ECCO IT HUB will store your data for the duration of these proceedings and, depending on the subject matter and outcome of the proceedings, for up to a further 30 years from the final conclusion of the proceedings. In the event that data subjects' rights are asserted under the GDPR (see point 6 for details), we store the associated data for three years from the last contact in connection with the assertion of a data subject's rights.  

d. Recipients of data

In order to assert, exercise or defend legal claims and to handle official (including judicial) proceedings, it is necessary that we disclose your data to the following recipients for the following purposes. This disclosure may be made by transmission, distribution or other form of delivery. 

Recepient: Christely
Data categories: access to all data of ECCO IT Hub necessary for remote support
Purpose: IT Remote Support
Legal Basis :  No legal basis is required as there is an order processing relationship
Registered Seat: Austria
Basis for transfer to 3rd country: no

Recepient: Lawyers and Tax Advisors
Data categories: all data necessary to establish compliance with legal obligations and for defence in court
Purpose: Evaluating and establishing compliance with legal obligations
Legal Basis: legitimate interest (Art 6 Abs 1 lit f DSGVO)
Registered Seat: Austria or EU
Basis for transfer to 3rd country: Art. 49 (1) e

Recepient: Insurance companies
Data categories: all data necessary to process insurance claims
Purpose:  Processing of claims
Legal Basis: legitimate interest (Art 6 Abs 1 lit f DSGVO)
Registered Seat: Austria or EU
Basis for transfer to 3rd country: Art. 49 (1) e

Recepient: Authorities (including courts)
Data categories: all data necessary to establish compliance with legal obligations and for defence in court and in front of authorities
Purpose: Handling of proceedings and legal disputes
Legal Basis: Not required as recipient is located within the EEA.
Registered Seat: Austria or EU
Basis for transfer to 3rd country: Art. 49 (1) e

8. Your rights as data subject:

 a. Data self-management

If you participate in the ECCO App and/or an ECCO virtual event and/or the volunteer acknowledgement section of the ECCO Website, you can choose to share your personal information as well as your opinion in public debates with the other participants.

  • The content of all postings and the contribution to public debates is solely your responsibility as participant who chose to actively share information. Neither ECCO or OCEAiN nor their expert volunteers or staff members can be held liable for this posted content, while ECCO and OCEAiN reserve the right to edit, rectify or delete postings of participants for good faith or legal reason.
    • Self-management of consent-based data of ECCO Portal Account used for single-sign on solution in ECCO App: your first name, last name, and email address (= you can reject that the ECCO Portal data is shared with the ECCO App)
    • Self-management of data storage and data subject rights (= the users can delete themselves): social media, website, address, job title, biography, company, country, topics of interest, portrait picture, written chat contributions
    • No data storage; self-management of data subject rights in live engagement (= you can decide yourself when to turn on/off the camera/mic/screen sharing): camera image, audio transmission, image and screen sharing
    • While text postings on the social wall can be deleted by you (= self-management of data subject rights) and with this deletion also the answer comments, you cannot delete on your own your answer-comments to postings.
  • You may directly access and modify your information via your personal log-in under the following link: https://cm.ecco-ibd.eu/cmPortal/Account/Login?ReturnUrl=%2FcmPortal%2FPortal%2FGEN00%2Fnormal.

b. General principles

To assert one of the below mentioned rights or to withdraw your consent, you can  contact ECCO IT HUB at any time under the contact details provided in point 9.

Data subjects of group registrations are contacted by ECCO Office within the first month with full transparency about this general ECCO Privacy Policy outlined here. 

Your personal data will not be subject to further processing in a way and manner that are incompatible with the intended purposes listed above.

According to Art. 13 (2) e GDPR, you are not obliged to agree to the processing of your data. However, please also note

  • that in case of the withdrawal of consent you will not be able to benefit or use all functions of ECCO IT Hub;
  • that in case of disagreement with the processing of necessary data for (pre-) contractual obligations, the business transaction cannot be implemented.

Please note that the withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal, and that in certain circumstances ECCO IT Hub is entitled or else required to process certain forms of personal data for a period extending beyond the withdrawal of consent, either due to our contractual relationship with you, or else due to legal requirements.

In case you have chosen to enter in one or more contractual roles within the ECCO IT Hub, it is a requirement to provide us with the above-mentioned data. Please understand that we would not be able to manage your contractual role if the above-mentioned personal data required for this purpose were not available to us.

If you provide us with further data, we process it for the purposes of our legitimate interests (Art 6 para 1 lit f GDPR), namely to improve the quality of our contractual relationship and our service provision to you. The provision of such data is neither legally nor contractually required and is also not necessary for the entering into a contract. You are not obliged to provide this data.


We would like to inform you that you have the right to

  • request confirmation as to whether or not we process personal data relating to you; If this is the case, you have the right to information about this personal data and the information listed in Article 15 Paragraphs 1 and 2 GDPR; for the right to receive a copy of the personal data concerning you that is the subject of processing, see Article 15 Paragraphs 3 and 4 GDPR;
  • request the correction or completion of incorrect or incomplete data concerning you (see in detail Art 16 GDPR);
  • request the deletion of your data if there is no legal basis for further processing of your data (see in detail Art 17 GDPR); In this context, we cannot comply with deletion if the processing (storage) is necessary to fulfill a legal obligation (legal retention obligations) or we are entitled to do so based on overriding interests (e.g. assertion, exercise or defense of specific legal claims);
  • request the restriction of the processing of your data if certain conditions are met (see in detail Art 18 GDPR);
  • object to the processing of your data that is necessary to protect our legitimate interests or those of a third party (Article 6 (1) (f) GDPR). In the event of an objection, we will no longer process your data unless the processing serves to assert, exercise or defend legal claims or we demonstrate compelling legitimate reasons for the processing which outweigh your interests (if necessary taking your particular situation into account). If you object to processing for direct advertising purposes (including profiling to the extent that it is related to such direct advertising), we will no longer process your personal data for these purposes (see in detail Art 21 GDPR);
  • receive the transmission of the data you have provided in a structured, common and machine-readable format. However, the right to data portability only exists if the processing is based on your consent or on a contract (see Article 20 GDPR in detail).

If you revoke your consent, this does not affect the lawfulness of the data processing that has taken place up to this point (Article 7 Paragraph 3 GDPR). If, despite our commitment to process your data lawfully, you unexpectedly believe that your personal data is not being processed lawfully, please contact us under the contact details provided in point 9 so that we can learn about your concerns and address them.  However, you also have the right to lodge a complaint with the Austrian Data Protection Authority or with another data protection supervisory authority in the EU, in particular at your place of residence or work.

9. CONTACT POINT ACCORDING TO ARTICLE 13, 14 and 26 GDPR:

ECCO Office
Ungargasse 6/13, A-1030 Vienna, Austria
Tel: +43-(0)1-710 2242-0
Fax: +43-(0)1-710 2242-001
E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it.

10. DATA PROTECTION OFFICER ACCORDING TO ARTICLE 37 GDPR:

Knyrim Trieb Rechtsanwälte OG
Mariahilfer Straße 89a, A-1060 Wien
T: +43 1 909 30 70, F: +43 1 9093639
E: This email address is being protected from spambots. You need JavaScript enabled to view it., W: kt.at
FN 462250f, HG Wien