Data protection information according to Art. 13 DS-GVO when using the file sharing service DRACOON

DAHW, 27.11.2020

Data protection information in accordance with Art. 13 of the General Data Protection Regulation (DS-GVO) for external contact persons of DAHW Compliance with data protection regulations are very important to us. In the following we would like to inform you about the collection and processing of your personal data by us:

1. Responsible Entity

Responsible for the data processing described below is the

DAHW Deutsche Lepra- und Tuberkulosehilfe e.V.
Raiffeisenstraße 3
97080 Würzburg
Telefon: 0931 7948-0

2. Scope and legal basis of the data processing

2.1. Providing and exchanging files and directories using DRACOON
We use thefile sharing service DRACOON to provide
DAHW employees and external contacts with files and/or directories and to enable them to be exchanged in a secure manner.
When using DRACOON, the following usage data and personal data are processed:

  • IP address of the user
  • Time of user interaction,
  • Details of browsers and operating systems used,
  • Status of the user action (successful or failed),
  • Information on the specific interaction of the user:
  • Add or delete accesses, users and user permissions and usable storage space,
  • Logging in and out of the system, failed logins and their cause,
  • Information on creating and deleting directories and on sharing files and directories,
  • Information on the expiry of the access authorization,
  • Information on the classification of the files or directories as public, internal use, confidential or strictly confidential,
  • File or directory download details (including file and directory names),
  • Information on the change in the scope of the records of events.

With the exception of the IP address, the above information on the use of the service is recorded in event log files to ensure the security and functionality of the service and stored for a period of 30 days. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. f DS-GVO.

Insofar as the provision of files and/or directories or the exchange of these in a secure manner is necessary as part of our communication with you, we process your data on the basis of Art. 6 Para. 1 lit. f DS-GVO.

If the use of DRACOON is necessary for the fulfilment of a contract concluded between you and us, we process your data on the basis of Art. 6 para. 2 p. 1 lit. b DS-GVO. The same applies, if the use of DRACOON is necessary for the implementation of pre-contractual measures that take place at your request.

If you also voluntarily provide personal information when using DRACOON (e.g. in the context of file or directory names), the associated data processing is based on your revocable consent in accordance with Art. 6 para. 1 sentence 1 lit. a, 7 DS-GVO.

You can revoke your consent at any time with effect for the future. Please note that processing that took place before the revocation is not affected by this.

Your data will be transferred to DRACOON GmbH, Galgenbergstraße 2a, 93053 Regensburg, Germany, as part of a commissioned processing pursuant to Art. 28 DS-GVO, which provides us with the file sharing service for use and supports us in related processes.

2.2.  Documentation of compliance with data protection:
If you give us your consent, we will also process your personal data (e.g. first name, last name, e-mail address and signature, if applicable) in order to be able to prove your consent within the scope of the accountability obligation incumbent upon us pursuant to Article 5 (2) of the Data Protection Regulation.

If you exercise your data subject rights under the GDPR towards us, we process your personal data in order to be able to prove, within the scope of accountability, that we have complied with the legal requirements of the GDPR when processing your request.

In addition, we may forward your personal data to our company data protection officer at datenschutz süd GmbH, who will assist us in complying with the requirements of the GDPR.

In each case, the processing is based on Art. 6 para. 1 p. 1 lit. c and f DS-GVO.

3. storage period

As a matter of principle, we store your data for as long as they are required to achieve the aforementioned purposes, you have not objected to their use or revoked your consent, and provided that there are no legal storage obligations to the contrary.

3.1 Storage period when using DRACOON

We process data in connection with your use of DRACOON initially for the duration of the use, i.e. the implementation and processing of the file exchange. In addition, we store usage data with the exception of your IP address for a period of 30 days in an event log file.

3.2 Storage period for data protection compliance documentationIf you exercise
your rights as a data subject under the GDPR, we will store your data related to the exercise of your rights until the end of three years, starting from the end of the year in which you exercised your right.

4. necessity of the data processing and voluntariness of the provision of your data

You are not obliged to provide your data. However, insofar as you would like to use DRACOON to exchange files and/or directories with us or would like us to make such files and/or directories available to you, the processing of the above-mentioned data is necessary for the implementation. Insofar as you also voluntarily provide, disclose or communicate other personal data, the provision is neither legally nor contractually required. Insofar as you do not provide this data, you may not be able to fully use certain functions of DRACOON beyond the implementation of the online meeting.

5. your rights

When processing your personal data, the GDPR grants you certain rights:

5.1. Right of access (Art. 15 of the GDPR)You have the right to request confirmation as to whether personal data concerning you is being processed; if this is the case, you have the right to be informed about this personal data and to the information listed in detail in Art. 15 of the GDPR.

5.2. Right to rectification and erasure (Art. 16 and 17 DS-GVO)
You have the right to request the rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete personal data without delay.

You also have the right to request that personal data concerning you be deleted without delay if one of the reasons listed in detail in Art. 17 DS-GVO applies, e.g. if the data is no longer required for the purposes pursued.

5.3. Right to restriction of processing (Art. 18 of the GDPR)
You have the right to request the restriction of processing if one of the conditions listed in Art. 18 of the GDPR applies, e.g. if you have objected to the processing pursuant to Art. 21 of the GDPR or for the duration of any review as to whether our legitimate interests override your interests as a data subject.

5.4. Right to data portability (Art. 20 DS-GVO)
In certain cases, which are listed in detail in Art. 20 DS-GVO, you have the right to receive the personal data concerning you in a structured, common and machine-readable format or to request the transfer of this data to a third party.

5.5 Right to object (Art. 21 DS-GVO)
If data is collected on the basis of Art. 6 (1) sentence 1 lit. f DS-GVO (data processing for the protection of legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

5.6 Right of revocation (Art. 7 para. 3 sentence 1 DS-GVO)
If your personal data is processed on the basis of consent pursuant to Art. 6 (1) p. 1 lit. a DS-GVO, you have the right to revoke your consent pursuant to Art. 7 (3) p. 1 DS-GVO. You can revoke your consent at any time with effect for the future.

5.7. Right to lodge a complaint with a supervisory authority (Art. 77 DS-GVO)

Pursuant to Art. 77 DS-GVO,
you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of data concerning you violates data protection provisions. The right of complaint may in particular be asserted before a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement.

The supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision, Postfach 1349, 91504 Ansbach.

6. Kontaktdaten des Datenschutzbeauftragten

Our company data protection officer will be happy to provide you with information or suggestions on the subject of data protection:

datenschutz süd GmbH
Kennwort: „DAHW“
Wörthstraße 15
97082 Würzburg
E-Mail: office(at)
Telefon: *49 - 931 304 976 0