ECCO IT HUB (= ECCO DATABASE) – PRIVACY POLICY ACCORDING TO GDPR

Version: March 2021

ECCO IT HUB consists of the following organisational entities with their registered seat in 1030 Wien, Ungargasse 6/13, and is based on a joint controllership agreement according to Article 26 General Data Protection Regulation (“GDPR”):

  • ECCO – European Crohn’s and Colitis Organisation (“ECCO”), registered in the Austrian Register of Associations (ZVR) under the registration number 468755685, as well as its daughter entity:
  • OCEAiN – Organisation, Congress, Emotion, Association, iNnovation GmbH (“OCEAiN”)

(together hereafter referred to as “ECCO IT HUB” or “we”).



1. Purpose

ECCO IT HUB solely processes your personal data for the purpose of:

  • centralised and up-to-date data administration of ECCO Membership, Congress and event participations as well as stakeholder status in order to avoid scattering loss of up-to-date contact details among the business units of the joint data controllers
    • ECCO Membership administration
    • ECCO Congress abstract submission system
    • ECCO Congress delegate registration
    • ECCO Congress faculty registration
    • ECCO Congress industry webshop and sponsor & exhibitor administration
    • ECCO Virtual Congress access administration
    • ECCO Congress CME accreditation and administration
    • ECCO e-Learning access administration
    • ECCO Educational Workshop registration
    • ECCO supplier and employee contact administration
  • facilitating communication among stakeholders of the IBD Community (= the data subjects in the ECCO Database) and making relevant data visible via the ECCO Website and the ECCO App (including the display of names and affiliations of Congress speaker and ECCO Officer and the disclosure of conflicts of interest, names and affiliation)
    • Promotion of ECCO Congress and Association activities
    • ECCO Congress programme publication
    • ECCO Congress abstract publication
    • ECCO Virtual Congress platform
    • ECCO Congress onsite speaker centre
    • ECCO Disclosure policy of potential conflicts of interest
    • ECCO Organs communication & meeting organisation
    • ECCO General Assembly voting administration
    • ECCO Manuscript development (Guidelines, Topical Reviews, Scientific Workshop Papers, Position Statements)
    • ECCO e-Learning content development
    • ECCO e-Guide content development
    • Publication of ECCO News
    • ECCO Website security measures and fraud prevention
  • the collection and selection process with respect to open research calls, open manuscript-project calls and open calls for positions in ECCO
    • Nomination collection for IBD Intensive Course for Trainees and N-ECCO School held at the annual ECCO Congress
    • ECCO Organs elections - application collection
    • ECCO Fellowships and Grants - application collection
    • ECCO Manuscript application collection (Guidelines, Topical Reviews, Scientific Workshop Papers, Position Statements)
    • ECCO CONFER project case proposal and similar case collection
    • IBD National Study Group Meeting
  • facilitating the whole process of submission, review and publication of scientific abstracts of the annual ECCO Congress as well as facilitating the scientific review of ECCO Fellowships and Grants application
    • ECCO Congress Abstracts – scientific review
    • ECCO Fellowships and Grants – scientific review
  • conducting statistical analyses and reports
    • ECCO Congress, Membership and project statistics
    • ECCO Website statistics for internal market research purposes
    • ECCO App statistics
    • ECCO Congress industry badge scanners



2. Legal basis of data collection

ECCO IT Hub only processes your personal data as follows:

  • We will ask for your consent to process your data in the following areas of our Website/App. You may withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal:
    • ECCO Website cookies
    • ECCO Portal Account set-up
    • ECCO App installation and usage
    • ECCO e-Learning access for non-member health-care professionals until the age of 35
    • ECCO eNewsletter subscription of ECCO Portal Account Holders (without Membership)
    • Replies to open calls of ECCO (ECCO Organs, Manuscripts, Fellowships and Grants, IBD Intensive Course for Trainees, N-ECCO School, CONFER project, IBD National Study Group Meeting)
    • ECCO Educational Workshop registration
    • ECCO Congress Abstract submission
    • ECCO Scientific Reviewer status
    • ECCO Congress Faculty invitations (with a separate publication consent for congress material and, for poster presentations, the consent to be contacted by delegates with regards to their poster)
    • Personal contributions to ECCO Virtual Congress
    • Publication of personal disclosure information of potential conflicts of interest, of e-Learning and e-Guide material, of ECCO manuscripts and ECCO News
  • in performance of our (pre-)contractual obligation
    • ECCO Congress registration
    • ECCO Congress exhibition and sponsorship
    • ECCO supplier and employee contact administration
  • on legitimate interest according to Article 6 of the GDPR:
    • ECCO Membership administration for the fulfilment of our association purpose.
  • Photo policy:
    • Portrait pictures submitted by data subjects themselves or taken by the ECCO photographer are based on your explicit consent, which can be withdrawn according to point 7 below.
    • As event organisers, ECCO and OCEAiN reserve the right on their legitimate interest to use ECCO Congress photos and film footage of the official ECCO photographers and film team (as also stated in the ECCO Congress registration terms and conditions) as well as to use photos of other ECCO events in which you might be captured. Should you wish to object to the use of a specific photo or film footage, you can address the ECCO Office as outlined in point 7 below.

These photos and film footage are intended for reporting about the event on the ECCO Website, the ECCO App in the ECCO eNewsletters, in promotional material (such as Congress break slide) and in printing material (such as the ECCO Anniversary Book series). 



3. Data categories: What kind of data?

Your personal data will not be subject to further processing in a way and manner that are incompatible with the intended purposes listed above.

ECCO Website

ECCO IT Hub processes the IP address of ECCO Website visitors and cookie information chosen by you and as explained in the cookies setting banner:

  • The IP address is transmitted with every server request. ECCO IT Hub and its provider of statistical services do not store IP addresses permanently, but use them for session identification purposes and to prevent attacks only. The following information will be stored in the server logs: the IP address of the requesting computer, together with the date, time, which file is requested (name and URL), what amount of data is transferred to you, a message as to whether the request was successful, identification data of the browser used and the operating system used, as well as the website from which access was made (if access is via a link).
  • The ECCO Website uses Matomo Analytics software, which relies on cookies as well. They are stored on your computer and generate information for the analysis of the ECCO webpages used by you (including your IP address in anonymised form), which is stored on a server located in Austria.
  • During your visit to the ECCO Website, some information is collected and analysed for web controlling purposes. This information is provided by your browser. The following data are collected:
    • Requests (file name of the requested file) (e.g., beispiel.de/index.html)
    • Browser type/browser version (e.g., Internet Explorer 6.0)
    • Browser language (e.g., English)
    • Operating system used (e.g., Windows XP)
    • Inner resolution of browser window
    • Screen resolution
    • JavaScript activation
    • Java on/off
    • Cookies on/off
    • Colour depth
    • Referrer URL (the previously visited web site)
    • Time of access
    • Clicks
    • Total orders, if any
    • Content of forms, if any (in the case of text fields, e.g. name and password, only the information “completed“ or “not completed“ is transmitted)
    • The ECCO Website relies on several so-called cookies, which are small text files that are placed on your computer and saved by your browser ( - access all cookie details under the cookie banner). Cookies cannot be used to identify specific individuals and do not contain personal data. Most of the cookies used are so-called “session cookies” that are deleted at the end of your browser session. In addition, there are some persistent cookies used to recognize you as a returning visitor to the website.

ECCO Portal Account Holders in ECCO IT Hub

ECCO IT Hub processes the following personal data as provided by you in setting up an ECCO Portal Account and choosing to participate in further interactions:

  • name
  • email
  • address (es)
  • phone number (s)
  • postal address (s)
  • fax
  • gender
  • date of birth
  • age
  • profession
  • professional specialization
  • expertise & particular areas of interest
  • HCP (health care professional) status
  • your ECCO Membership status (which may also be published once per year with names per country in the context of the ECCO Congress)
  • applications to open calls, event and project participation(s)
  • disclosures of potential conflicts of interest
  • reimbursement data
  • portrait pictures and event photos and film footage
  • passport details for congress invitation letters
  • In addition, the scientific review process generates a review result for the submitters of abstracts and applications for fellowships and grants which will be stored in connection with the abstract or application submitted via the submitter’s account
  • The election process generates a ranking result which is kept confidential within ECCO Office archives

If you participate in the ECCO App and/or an ECCO virtual event, you can choose to share your personal information as well as your opinion in public debates with the other participants.

  • The content of all postings and the contribution to public debates is solely your responsibility as participant who chose to actively share information. Neither ECCO or OCEAiN nor their expert volunteers or staff members can be held liable for this posted content, while ECCO and OCEAiN reserve the right to edit, rectify or delete postings of participants for good faith or legal reason.
    • Self-management of consent-based data of ECCO Portal Account used for single-sign on solution in ECCO App: your first name, last name, and email address (= you can reject that the ECCO Portal data is shared with the ECCO App)
    • Self-management of data storage and data subject rights (= the users can delete themselves): social media, website, address, job title, biography, company, country, topics of interest, portrait picture, written chat contributions
    • No data storage; self-management of data subject rights in live engagement (= you can decide yourself when to turn on/off the camera/mic/screen sharing): camera image, audio transmission, image and screen sharing
    • While text postings on the social wall can be deleted by you (= self-management of data subject rights) and with this deletion also the answer comments, you cannot delete on your own your answer-comments to postings.

You may withdraw your consent regarding consent based data at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.



4. Data received from third parties (Article 14 of the GDPR)

Please note that in the context of the following group registration, nomination and submission processes, ECCO IT HUB received your personal data via the contact person of the respective group registration:

  • Membership Group Registrations
    • Source of the data: tour operator agencies booking group memberships
    • Purpose: invitation to pre-paid ECCO Membership
    • Legal Basis: consent of data subject to tour operator agencies booking group registrations; these tour operators are under a contractual obligation with ECCO to collect your consent for this registration in advance.
    • Data categories processed: first name, last name, email address and country
  • Congress Group Registrations
    • Source of the data: tour operator agencies booking group registrations
    • Purpose: invitation to pre-paid ECCO Congress Registration
    • Legal Basis: consent of data subject to tour operator agencies booking group registrations; these tour operators are under a contractual obligation with OCEAiN to collect your consent for this registration in advance.
    • Data categories processed: first anme, last name, email address and country, badge-pick-up and certificates of attendances of their invited delegates in tour operator profile
  • Nomination process of the candidates for the IBD Intensive Course for Trainees
    • Source of the data: National Representatives of ECCO Country Members
    • Purpose: invitation to free-of-charge educational course at ECCO Congress
    • Legal Basis: consent of data subject to respective ECCO National Representative submitting nominations for this course; legitimate interest of data subject to be admitted to this selective course.
    • Data categories processed: first name, last name, email address, city, country, years of experience, letter of intent
  • Nomination process of candidates for the N-ECCO School
    • Source of the data: N-ECCO National Representatives of ECCO Country Members
    • Purpose: invitation to free-of-charge educational course at ECCO Congress
    • Legal Basis: consent of data subject to respective ECCO National Representative submitting nominations for this course; legitimate interest of data subject to be admitted to this selective course.
    • Data categories processed: first name, last name, email address, city, country, phone number
  • Congress Abstract submission process for an author group
    • Source of the data: Abstract submitter
    • Purpose: participation in the abstract selection for Abstract presentations at the ECCO Congress
    • Legal Basis: consent of data subject to submitting author of the author group; legitimate interest of data subject to participate in this scientific abstract selection.
    • Data categories processed: first name, last name, email address, institute, department, city, country, conflicts of interest
  • Multicentric Grant Applications for a research group
    • Source of the data: principal investigator of multicentric grant application
    • Purpose: participation in application process for multicentric grant application
    • Legal Basis: consent of data subject to principal investigator
    • Data categories processed: first name, last name, email address, affiliation, ECCO Membership ID
      In addition, the scientific review process generates a review result for the multicentric grant applications which will be stored in connection with application submitted via the submitter’s account.

Please note that data subjects of such group registrations are contacted by ECCO Office within the first month with full transparency about this general ECCO Privacy Policy outlined here. 

As a data subject, you can address the contact point and data protection officers as well as the data protection authority indicated below.



5. Data recipients and sub-processors:

  • European recipients and sub-processors: 
    In order to adequately fulfil the intended purposes listed above, ECCO IT Hub contracts primarily data processors based in the European Union – including but not limited to:

      In the group registration processes, group leaders have a restricted duplicate-check option via entering the correct email address and name.

  • Non-European recipients and sub-processors:
    • In case applications are submitted to the scientific review in the context of Fellowships and Grants application reviews and the Congress Abstract reviews, this process includes individual experts from outside of Europe.
    • In case that Educational Workshops take place outside of Europe, the registration lists for this respective Workshop are shared with the local organiser.
    • The ECCO Virtual Congress and event platform relies on some US-based IT Services such as the Vimeo video player and the Zoom online conference platform as well as on European IT Services with US-based sub-processors such as chat tools (incl. Slido: https://www.sli.do/ and Conference Compass: https://www.conferencecompass.com/  ) and networking tools. Online educational events will rely on a selection of these services as well.
    • The ECCO Virtual Congress platform - and the online exhibition in particular - also features links to external company websites and chat tools – which are declared as such. This privacy policy and the terms and conditions of the ECCO Virtual Congress do not apply to these external websites, which need to be consulted separately for cookie and data protection policies. These websites are not within the responsibility of ECCO and OCEAiN, who may therefore not be held liable.
    • In case you explicitly consent to badge scanning in the ECCO Congress exhibition or satellite symposia, we transfer your personal data (Name; Contact details) to the exhibition or sponsor companies of the congress, some of which do have their head-quarters in the USA. The current list of exhibitors can be found on the annual Congress Website (accessible via https://www.ecco-ibd.eu/congresses-and-events.html )  in the exhibitor section. You may withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.



6. Data storage time-frame:

ECCO IT Hub of course also observes the principle of storage limitation for personal data.

  • IP address of ECCO Website visitors: The server logs are saved in order to be able to check the system security, to administrate the website technically and to be able to optimize the offer. The server logs are stored for the duration of 3 months. After this period the identity of the user can no longer be determined, even by ISPs.
  • Anonymised IP address storage in the Matomo Analytics software of the ECCO Website: 24 months
  • ECCO IT Hub will process the following data of Portal Account Holders until withdrawal of consent, but not longer than for 7 years:
    • name
    • email
    • address (es)
    • phone number (s)
    • postal address (es)
    • fax
    • gender
    • date of birth
    • age
    • profession
    • professional specialisation
    • expertise & particular areas of interest
    • HCP (health care professional) status
    • your ECCO Membership status (which may also be published once per year with names per country in the context of the ECCO Congress)
    • applications to open calls, event and project participation(s)
    • disclosures of potential conflicts of interest
    • reimbursement data
    • passport details for congress invitation letters
    • In addition, the scientific review process generates a review result for the submitters of abstracts and applications for fellowships and grants which will be stored in connection with the abstract or application submitted via the submitter’s account
    • The election process generates a ranking result which is kept confidential within ECCO Office archives
    • Beyond that time, ECCO IT Hub will only process your data (including photographs and video material) for association archive purposes, or if we are obliged to process your personal data by law
  • Personal (non-scientific) supporting documents (such as letters of intent, CVs, publication lists), submitted in the context of applications to open calls, event and project participation(s)are stored not longer than 3 years.



7. Your rights as data subject:

Should you be affected by our processing of personal data, you have the right at any time to request access to rectification, or erasure of personal data, or restriction of the processing concerning your personal data or to object to processing as well as the right to data portability.

As data subject, you may withdraw your consent for

  • ECCO Website cookies (via deinstallation on user side)
  • ECCO Portal Account set-up
  • ECCO App installation and usage (via deinstallation on user side)
  • ECCO e-Learning access for non-member health-care professionals until the age of 35
  • ECCO eNewsletter subscription of ECCO Portal Account Holders (without Membership)
  • Replies to open calls of ECCO (ECCO Organs, Manuscripts, Fellowships and Grants, IBD Intensive Course for Trainees, N-ECCO School, CONFER project, IBD National Study Group meeting)
  • ECCO Educational Workshop registration
  • ECCO Congress Abstract submission
  • ECCO Scientific Reviewer status
  • ECCO Congress Faculty invitations (with a separate publication consent for congress material)
  • Personal contributions to ECCO Virtual Congress
  • Publication of personal disclosure information of potential conflicts of interest, of e-Learning and e-Guide material, of ECCO manuscripts and ECCO News
  • ECCO Congress – Industry Badge Scanner consent
  • Portrait pictures

from ECCO IT HUB to process your personal data at any time under This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it. or by postal mail to ECCO Office, Ungargasse 6/13, A-1030 Vienna, Austria.

Please note that the withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal, and that in certain circumstances ECCO IT Hub is entitled or else required to process certain forms of personal data for a period extending beyond the withdrawal of consent, either due to our contractual relationship with you, or else due to legal requirements.

According to Art. 13 (2) e GDPR, you are not obliged to agree to the processing of your data. However, please also note

  • that in case of the withdrawal of consent you will not be able to benefit or use all functions of ECCO IT Hub;
  • that in case of disagreement with the processing of necessary data for (pre-) contractual obligations, the business transaction cannot be implemented;
  • that in case you disagree with the legitimate interest according to Article 6 of the GDPR regarding ECCO Membership, you will not be able to become an ECCO Member.

You directly access and modify your information via your personal log-in under the following link: https://cm.ecco-ibd.eu/cmPortal/Account/Login?ReturnUrl=%2FcmPortal%2FPortal%2FGEN00%2Fnormal.

In case you believe that the processing of your personal data does not comply with the provisions of data protection, you can – other legal remedies in law courts or under administrative law notwithstanding – make a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. In Austria, the supervisory authority is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

According to Art. 13 (2) f GDPR, ECCO IT HUB does not generate automatic decisions including data profiling.

 

8. Nature of joint data processing by ECCO and OCEAiN:

The essence of the ECCO IT Hub arrangement according to Article 26 GDPR:

DESCRIPTION OF JOINT DATA PROCESSING OPERATIONS:

The ECCO Database constitutes the core for all projects on the side of ECCO Association as well the side of OCEAiN GmbH, who is in charge of organising the annual ECCO Congress, the e-Learning platform and publishing the ECCO News magazine.

As the ECCO Congress constitutes the annual meeting of the ECCO Members and other stakeholders in the field of inflammatory bowel diseases, the ECCO Database has a significant intersection set of data subjects as the same data subjects can be ECCO Members and Congress Delegates. 

The data subjects in the ECCO Database are health care professionals, pharma industry representatives, patient representatives and students in the field of inflammatory bowel diseases with an interest in both ECCO Association activities and ECCO Congress and e-Learning activities. In addition, the ECCO Database captures press contacts, as well as employees and contact persons of tour operator agencies booking group registrations and of supplier companies, which are contracted to implement projects of ECCO and OCEAiN. 

MEANS OF JOINT DATA PROCESSING OPERATIONS:

With the increasingly enhanced digitalisation of the joint data processing operations over the past years, the ECCO Website with a Login-Area called the ECCO Portal constitutes the main entrance door to all activities of ECCO and OCEAiN.

The ECCO Portal Account is the “front” side entrance door to and, after personal Login-In, the front side display of the respective personal data-set captured in the ECCO Database.

As soon as an ECCO Portal Account holder applies for ECCO Membership or engages in another activity, joint processing takes place in the ECCO Database: the use of synergy effects in data harmonization also aims to facilitate access of data subjects to activities within the larger framework of ECCO IT Hub (e.g. distribution of our newsletters, promotion of our Congress and educational/scientific activities, access facilitation via the publisher/distributor of our publications). 

Depending on the status of the data subject (e.g.: Membership status, Congress Registration statutes, Scientific Reviewer Status), the data subject can access various online tools (e.g.: online application process per open call, registration process for workshops or ECCO Congress, industry webshop)  and various levels of online content (e.g.: applications received for internal or scientific review, e-Learning material, meeting documents).

Most of the functionalities are directly provided by the ECCO Database suppliers and do not need data transfers to other suppliers.

The ECCO Website and the ECCO Database are hosted on a rented ECCO Server space in Austria.

Additional Platforms and technology needed are solved with a single-sign on technology with the ECCO Database, which are in particular

  • the ePayment tool used to process online credit card payments for ECCO Membership and ECCO Congress Registrations.
  • the e-Learning platform which is accessible to all ECCO Members and also to health care professionals as ECCO Portal Account holders without active ECCO Membership up to the age of 35. The single-sign on mechanism is based on an age check, which takes place within the ECCO Database before the access interface is enabled to the e-Learning Platform.
  • the ECCO App: upon installation of the ECCO App (offering a dedicated section for ECCO Association and another dedicated section for the annual Congress) on the data subject’s mobile device, first name, last name and email address is shared with the App provider company to allow the single-sign-on mechanism. In case of additional consent of the data subject chosen in  the settings of the App, the personal status (of Membership or Congress Delegates) can be shared in order to be visible for a chat-function tool.

In addition, two further joint data processing platforms are used to facilitate project management and communication:

  • the ECCO Office inhouse server
  • the eNewsletter Mailing Platform

PURPOSE OF JOINT DATA PROCESSING OPERATIONS: please refer to point 1 above.

CATEGORIES OF DATA PROCESSED UNDER THIS AGREEMENT: please refer to point 3 above.

DATA STORAGE LIMITATION: please refer to point 6 above.

ALLOCATION OF DATA PROTECTION TASKS/DUTIES (under Art. 26 GDPR)

The data protection tasks done jointly are

  • provision of information according to Article 26 paragraph 2 sentence 2 GDPR
  • common contact point for the fulfilment of data subjects’ requests,
  • information obligation according to Article 13 / 14 GDPR,
  • fulfilment of the request of access,
  • fulfilment of the request of rectification,
  • fulfilment of the request of erasure and restriction of processing,
  • notification to recipients (Article 19 GDPR),
  • fulfilment of the request of data portability, processing of withdrawals,
  • implementation of technical and organisational measures (Article 32 GDPR),
  • review and adaption of technical and organisational measures,
  • maintenance of a record of processing activities

The data protection tasks done separately are:

  • selection and assignment of data processors
  • processing of notifiable data breaches

CONTACT POINT ACCORDING TO ARTICLE 13, 14 and 26 GDPR:

ECCO Office
Ungargasse 6/13, A-1030 Vienna, Austria
Tel: +43-(0)1-710 2242-0
Fax: +43-(0)1-710 2242-001
E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it.

DATA PROTECTION OFFICER ACCORDING TO ARTICLE 37 GDPR:

Knyrim Trieb Rechtsanwälte OG
Mariahilfer Straße 89a, A-1060 Wien
T: +43 1 909 30 70, F: +43 1 9093639
E: This email address is being protected from spambots. You need JavaScript enabled to view it., W: www.kt.at
FN 462250f, HG Wien

Portal