of Plasmavita Healthcare II GmbH, Garnisongasse 4/12, 1090 Vienna, FN 508251 d, Tel.: (+43) 1 361 822 211, e-mail: firstname.lastname@example.org (hereinafter: “we” or the “responsible party”). Further information about us can be found at https://plasmavita.at/impressum/.
We respect and protect your (hereinafter referred to as the “data subject”) data protection and privacy rights and, will take all measures required by law to protect the personal data processed. We are the “controller” under data protection law with regard to the processing activities involving your personal data, presented below, when you visit our website or contact us as a (potential) plasma donor.
You can ask us about data protection issues at any time using the above contact details, or exercise your rights as a data subject. Our data protection officer is reachable at
consigma Management Beratung GmbH
Written inquiries or notice of the assertion of the data subject’s rights must please be made in German. Please note that reply letters, documents, etc. from the person responsible will also be sent in German.
It should be noted in advance that, in addition to the strict provisions of data protection law, we and our employees are also subject to further legal obligations of confidentiality, in particular the Blood Safety Act (BlutsicherheitsG).
In the following, you can get a quick and easy overview of which of your personal data are being processed, for which purposes and on which legal basis in this data protection information in accordance with Art 13 f GDPR. Furthermore, information is provided about the (possible) recipients of your data and your rights under data protection law, the so-called data subject rights.”
The used nouns are to be understood as gender-neutral and therefore include both the feminine and the masculine form.
1.1 For the purpose of “processing personal data relating to inquiries, for making appointments, and for organizing the plasma donation process on site, including displaying the first name and first letter of the last name on screens of the donor guidance system in the plasma donation centers (list of centers operated by us: https://plasmavita.at), and for data exchange with other donation centers for the protection of the donor, including computer-generated and archived text documents (such as correspondence) on these matters” we process the following personal data:
From (potential) donors to requests:
The data you provided (name, request) and any data generated by us (request and information documentation), which will be stored for a period of three years (justification: possible claims for damages in connection with information) in a personalized manner.
From (potential) donors to (agreed) donations:
The data you have provided (name, address, gender, date of birth, information in the donor questionnaire) and any data generated by us (appointment (and history thereof) including any donor exclusion documentation, donor identification data (including donor number, data/photo on donor ID and official photo ID, signature using electronic signature pad), documentation and contractual documents (including Blood Safety Act), any existing laboratory results (including any information about the donor’s blood indicators), calculation and billing data relating to expense allowances and premiums, donor information about and from other (see below) donation centers), which are stored for this purpose for a period of seven years (justification: obligation to retain data in accordance with corporate and tax law) in a personalized manner.
The donor’s data is required for the above-mentioned purposes and for the conclusion of the contract, and is also required by law for company and tax purposes. Without providing this data, no information can be provided or documented and no plasma donation can be performed.
1.2 Data processing is based on the fulfillment of the contract (Art. 6 Para. 1 lit. b GDPR (DSGVO) in line with the identification data and possible processing of special categories of personal data in accordance with Art. 9 Para. 2 lit g), h) (in conjunction with Para. 3), i) (in conjunction with § 11 Blood Safety Act including Blood Donor Regulation and Epidemic Act)).
1.3 There is no automated decision making or profiling according to Art. 22 para. 1 and 4 GDPR.
1.4 The processing of personal data takes place exclusively within the EU.
1.5 The following persons (“recipients” according to the terminology of the GDPR) may, under certain circumstances, have access to some data pertaining to the data subjects mentioned, as set out below for the purposes mentioned in the following paragraph, whereby our service providers are contractually obligated to strictly comply with the data protection regulations:
ebps logistics GmbH, Alserbachstraße18, 1090 Vienna receives all categories of data for the purpose of operating our IT infrastructure.
Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 Ireland, receives the correspondence data categories for the purpose of operating Office365.
Grifols Worldwide Operations Ltd, Grange Castle Business Park, Grange Castle, Clondalkin Dublin 22, Ireland, as the recipient of the plasma, receives the data categories of donor number, laboratory tests, and reason for donor block for the purpose of identifying all previously supplied plasma from a donor who has tested positive for a specific pathogen.
Our tax advisors receive the data categories relevant under tax law for the purpose of accounting and preparation of tax returns and annual financial statements.
2.1 Under the Blood Safety Act (BlutsicherheitsG) and related regulations, we are required by law to process the following personal data for the purpose of “lawful documentation of plasma donation, including donor identification, for complete traceability, and any contact for legal reasons”:
Data provided by you (name, date of birth, gender and primary residence, nationality, and any changes to this data, information gained from the donor questionnaire, information (including photo) on the donor card) and
data generated by us (documentation of the donor’s written consent, informational documents, donor card documentation (legally required identification), medical history, plasma donation data (including timestamps of individual process steps), date and results of medical screening, any donor exclusion documentation, any (serious) adverse events (including reporting documentation), laboratory test data, any donor information data regarding blood indicators, documentation of results from medical devices and diagnostics, data on personnel performing procedures),
which will be stored for this purpose for a maximum period of 30 years (justification: storage obligation according to the Blood Safety Act).
The provision of data by the donor is required by law and necessary for the aforementioned purposes. Without providing this data, no plasma donation can take place.
2.2 Processing is done on the basis of our legal authorization and in fulfillment of our legal obligations (Art. 9 para. 2 lit g), h) (in conjunction with para. 3), i) in conjunction with (esp §§ 11 f) Blood Safety Act including Blood Donor Ordinance and Epidemic Act (BlutsicherheitsG samt BlutspenderV und EpidemieG)).
2.3 No automated decision making including profiling according to Art. 22 (1) and (4) GDPR takes place.
2.4 The processing of personal data takes place exclusively within the EU.
2.5 The following persons (“recipients” according to the terminology of the GDPR) may gain access to the data of the data subjects mentioned below, or this data may be transmitted to them, whereby our service providers are contractually obligated to strictly comply with the data protection regulations:
ebps logistics GmbH, Alserbachstraße18, 1090 Vienna receives all categories of data for the purpose of operating our IT infrastructure.
RKHT Steve Rückhardt, Schulstraße 29, 07552 Gera receives donor data for marketing activities.
Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 Ireland, receives correspondence data categories for the purpose of operating Office365.
Grifols Worldwide Operations Ltd, Grange Castle Business Park, Grange Castle, Clondalkin Dublin 22, Ireland, as the purchaser of the plasma, receives the data categories donor number, laboratory tests and reason for donor block for the purpose of identifying all previously supplied plasma from a donor who has tested positive for a specific pathogen.
3.1 For the purpose of “processing data to distibute marketing materials”, we process the following personal data:
From Plasmavita Marketing Recipients:
Data provided by you (name, address, language and any comments and declarations or revocations of consent) and
Data generated by us (documentation of consent or revocation, shipping history),
which are stored for this purpose for the duration until revocation of consent and for three years thereafter (justification: any claims regarding shipment or revocation) in a personalized manner.
3.2 For the purpose of “processing data for online marketing, in particular social media” (for Facebook, see the additional information in point 4) we process the following personal data:
For online marketing testimonials (= donors after their own consent):
The data provided by you (name, photo, and any comments and declarations or revocations of consent) and
data generated by us (documentation of consent or revocation, online marketing history),
which are stored for this purpose for the duration until revocation and thereafter for three years (justification: any claims relating to use or revocation) in a personalized manner.
3.3 The provision of data is necessary for the stated purposes and documentation of consent and revocation is required by law. Without the provision of data, no marketing activities can take place.
3.4 Processing is based on the consent of the data subject, which can be revoked at any time (Art. 6 para. 1 lit. a GDPR or, in the case of the eNewsletter, § 107 TKG). The consent can be given as follows: in person, by mail, on the website, or by e-mail to the respective Plasmavita donation center.
3.5 No automated decision making including profiling according to Art. 22 (1) and (4) GDPR takes place.
Plasmavita currently operates the following Facebook and Instagram fanpages:
4.1 Scope and purpose of data processing
Specifically, Facebook collects so-called cookies when a fan page is visited (more detailed information can be found under point 6. Processing of cookies). The purpose of these cookies is, on the one hand, to enable Facebook to continuously improve its systems, in particular with regard to personalized advertising. On the other hand, to enable an evaluation of user data for statistical purposes, which can be useful to fanpage operators. Such an evaluation is provided to us as fanpage operator in anonymized form by Facebook. We have no access to the personal data in the cookies.
Unlike Facebook, we therefore do not generally receive and process any personal data from users who visit our fanpages (unless users specifically interact with us by, for example, sending us a message or leaving a comment), but only anonymized statistics.
Examples of information about visits:
Page and tab views: Information about how many times each tab and button (e.g., web page button, phone number button, “plan route” button) was viewed or clicked; information about whether the visitor hovered the mouse over the Fan Page name or profile picture to preview page content;
Information on whether the page was accessed from a computer or mobile device;
External referrals: Information on how often people came to Plasmavita Facebook Fanpage from a website outside Facebook via a link.
Information on (personal) data processing by Facebook, in particular also on any transmission to third countries, can be found in Facebook’s privacy statements (https://www.facebook.com/privacy/explanation and https://www.facebook.com/policies/cookies/). We have no influence on this.
4.2 Legal basis
The processing is based on the fulfillment of the contract (Art. 6 para. 1 lit. b GDPR), namely the Facebook user agreement concluded between the visitor of the Plasmavita Facebook fan page and Facebook (also to our benefit), or based on the consent (Art. 6 para. 1 lit. a GDPR) of the Facebook user (also to our benefit), whereby we cannot influence any revocation.
4.3 Storage period, deletion of data
The cookies set by Facebook are stored for up to two years after these cookies have been set or updated. You can delete stored cookies at any time in your browser settings. Likewise, you can generally prevent the setting of cookies in advance in your browser settings.
4.4 Data subject rights in connection with the Plasmavita presence on Facebook and Instagram (fan pages).
As described under point 4.1, we only process anonymized statistics of our fan pages and have no influence on the processing of the personal data underlying the statistics by Facebook. To assert your data subject rights (described in point 5), please contact Facebook directly:
Meta Platforms Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland.
5.1 Right to revoke consent: Insofar as the processing of your data is based on consent, you have the right to revoke consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before the time of revocation. The processes of revocation are indicated within the terms of your individual declaration of consent. You can also declare the revocation of individual consents at any time by sending a notification thereof to the contact details stated above.
5.2. Right of access: you have the right to request confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have the right to be informed about this personal data (in the form of a copy of the personal data that is the subject of the processing) and to receive the following information: (a) the purpose(s) of the processing; (b) the categories of personal data being processed; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration; (e) the existence of the right to rectify or erase the personal data pertaining to you or to have the processing restricted by us, or a right to object to such processing; (f) the existence of the right to lodge a complaint with a supervisory authority; (g) if the personal data is not collected directly from you, any available information about the origin of the data; (h) the (non-)existence of automated decision-making, including profiling. In fulfillment of this obligation, we will provide a copy of the personal data that is the subject of the processing. For any additional copies you request, we may charge a reasonable fee based on administrative costs. If you make the request electronically, we must provide the information in a commonly used electronic format unless you specify otherwise.
5.3 Right to rectification and erasure: You have the right to request that we rectify any inaccurate personal data concerning you without undue delay. Taking into account the purposes of the data processing, you have the right to request the completion of incomplete personal data – also possible by means of a supplementary declaration. Furthermore, you have the right to request that we delete personal data concerning you without undue delay, and we are obliged to delete this personal data without undue delay if one of the following reasons applies: (a) the personal data is no longer necessary for the purposes for which it was collected or otherwise used, or (b) the personal data is no longer necessary for the purposes for which it was collected or otherwise used. (c) You successfully objected (see immediately below) to the processing. (d) The personal data has been processed unlawfully. (e) The erasure of the personal data is necessary for compliance with a legal obligation to which we are subject. (f) The personal data was collected in relation to services offered by the information society (consent of a child). The right to erasure does not exist, in particular, insofar as the processing is necessary for compliance with a legal obligation on our part and/or for the assertion, exercise or defense of legal claims.
5.4. Right to restriction of processing: You have the right to request that we restrict processing if one of the following conditions is met: (a) the accuracy of the personal data is/was contested by you, for a period of time enabling us to verify the accuracy of the personal data, (b) the processing is unlawful and you have objected to the erasure of the personal data and requested the restriction of the use of the personal data instead; (c) we no longer need the personal data for the purposes of the processing, but you need it after your duly substantiated statement for the assertion, exercise or defense of legal claims; or (d) you declare your objection to the processing, in which case the restriction will follow so long as it has not been determined that the legitimate grounds of our override yours. If processing has been restricted, such personal data may – apart from being stored – only be processed with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of public interest of the Union or a Member State. If you have obtained a restriction of processing, you will be informed by us before the restriction is lifted.
5.5 Right to data portability: If the processing is based on consent or on a contract and the processing is carried out with the help of automated procedures, you have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. When exercising your right to data portability, you have the right to have your personal data transferred directly from us to another controller, where technically feasible.
5.6 Right to object: You have the right to object at any time, on grounds relating to your personal situation, to the processing of personal data concerning you which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, or which is necessary for the protection of the legitimate interests of us or of a third party. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims. If personal data are processed for the purpose of direct marketing, you have the right to object at any time to processing of personal data concerning you for the purpose of such marketing. If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
5.7 Right to lodge a complaint with the supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the law. The Austrian Data Protection Authority (DPA) can be reached at: Barichgasse 40-42, 1030 Vienna, phone: +43 1 52 152-0, e-mail: email@example.com, https://www.dsb.gv.at.
Status: November 2022
HEALTHCARE II GMBH
Plasmavita Healthcare II GmbH, based in Vienna, is a modern company specialising in the collection of human blood plasma for further processing into pharmaceuticals.
Plasmavita plays a leading role in the collection of plasma donations and, therefore, in patient care.