PEOC meets FORTEe – Bringing Together Evidence and Innovation in Pediatric Exercise Oncology
Converia – Conference Management Software

Privacy Policy

Last updated: 25 June 2025

Controller (Art. 4 (7) GDPR)

Universitätsmedizin der Johannes Gutenberg-Universität Mainz KdöR
Vertreten d.d. Vorstand, dieser vertreten d.d. Kaufmännischen Vorstand
Langenbeckstr. 1
55131 Mainz, Germany

The University Medical Center of Johannes Gutenberg University Mainz (hereinafter ‘University Medical Center Mainz’ or ‘we’) acts as the controller within the meaning of Art. 4 (7) GDPR.

Data-Protection Officer

Datenschutzbeauftragter der Universitätsmedizin Mainz
Langenbeckstr. 1
55122 Mainz, Deutschland
Telefon: +49 6131 17-0
E-mail: datenschutz@unimedizin-mainz.de

Supervisory Authority

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Postfach 30 40
55020 Mainz, Deutschland
Telefon: +49 (0) 6131 8920-0
Telefax: +49 (0) 6131 8920-299
E-Mail: poststelle@datenschutz.rlp.de

General Information on Data processing

Scope
We process personal data on the basis of Art. 6 (1) (a), (b), (c) and (f) GDPR, depending on the specific purpose described below.

This website uses the Converia conference-management software. The application is hosted and technically operated for us by Johannes Gutenberg University Mainz (JGU) as a processor under an Art. 28 GDPR Data-Processing Agreement (DPA). Converia GmbH provides second-level support and maintenance to JGU and may therefore have occasional access to personal data as a sub-processor.

Registration and Use of the Function of the Conference Management Software

Description and scope of data processing

The conference management software offers users the possibility to register by entering personal data. The data is entered into an input mask and then transmitted to us and stored. Mandatory information is requested during registration. This information must be entered completely and accurately. If this is not the case, the registration will be rejected. The system provides for a function which requires that a data protection agreement must be actively confirmed before personal data is stored in the software.

For example, a registration process is usually required for the following activities:

  • Registration as a participant in an event
  • Submission of a scientific contribution in the system
  • Assessment of scientific contributions
  • Actions as a speaker or chair of a session

The following data is collected and stored during the registration process and use of the software functions:

  • Access data (user name, password)
  • Address details
  • E-mail address
  • Shopping cart data
  • Billing information
  • Information on contributions submitted

Payment processing

Various payment options (e.g. invoice/bank transfer, credit card, PayPal) are available for payment processing when participants register for an event. Sensitive payment information is not stored in the conference management system itself. For this purpose, specially certified payment service providers are employed, who perform the data processing and storage. The user is led directly to the website of the respective provider. Further information on data protection can be found on the websites of the respective service provider.

The following data is collected for payment processing:

  • selected mode of payment
  • invoice amount
  • amounts paid
  • billing data

Legal basis for data processing

The legal basis for the processing of data is Article 6 (1) (a) of the GDPR, provided the user's consent has been obtained. If registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for processing of the data is Article 6 (1) (b) of the GDPR.

Purpose of data processing

A registration of the user is necessary for the fulfilment of a contract with the user or for the implementation of pre-contractual measures.

Storage period

The data will be deleted as soon as it is no longer required to achieve the purpose for which they were collected. This is the case for data collected during the registration process to fulfil a contract or to carry out pre-contractual measures, when this data is no longer required for the execution of the contract. After conclusion of the contract, it may still be necessary to store personal data of the contractual partner in order to fulfil contractual or legal obligations.

Possibility of objection and deletion

You can have the data stored about you amended at any time. For this purpose, please contact the controller by e-mail or telephone (see information above). If the data is required to fulfil a contract or to carry out pre-contractual measures, a premature deletion of this data is only possible to the extent that contractual or legal obligations do not preclude deletion.

Service Providers and Data-Processing Agreement

Role / Activity / Organisation / Location / Legal basis

  • Controller / Conference organisation / University Medical Center Mainz / Mainz, DE / Art. 6 (1) b,c
  • Processor / Hosting, operation and first-level administration of the Converia platform; database backups / Johannes Gutenberg University (JGU) Mainz / Mainz, DE / Art. 28 GDPR DPA
  • Sub-Processor / Application maintenance, updates, 2nd-level support for Converia software / Converia GmbH / Weimar, DE / Covered by the DPA with JGU
  • Recipient / Card-payment acquiring / Concardis GmbH / Eschborn, DE / Art. 6 (1) b, f GDPR

All participant data is processed solely on behalf of University Medical Centre Mainz; JGU and its sub-processors act under the instructions set out in the DPA.

Data Erasure and Storage Period

Personal data are deleted or blocked as soon as the storage purpose ceases to apply, unless European or national legislators require longer retention.

Purposes and Legal Bases of Processing

Purpose / Data categories / Legal basis (GDPR) / Storage Period

  • Technical provision of the website / IP address, date & time, user agent / Art. 6 (1) f – legitimate interest (secure operation) / Log files are deleted or anonymised after 10 days.
  • Account creation & congress registration / Name, contact & billing details, ticket & abstract data, login credentials / Art. 6 (1) b – contract / 4 years after your last login or, where contractual retention duties apply, until expiry of those duties
  • Payment processing / Selected payment method, invoice amount, transaction status / Art. 6 (1) b / Card data are held by Concardis for fraud-prevention purposes (max. 13 months); statutory accounting data are kept by us for 10 years in accordance with Sec. 147 AO / Sec. 257 HGB.
  • Transactional congress e-mails / Name, e-mail address, booking reference / Art. 6 (1) b / —
  • Statutory archiving obligations / Accounting and tax data / Art. 6 (1) c – legal obligation / 10 years

No web analytics, profiling, advertising cookies or social-media plug-ins are used.

Provision of the Website and Creation of the Log Files

Description and scope of data processing

Each time our website is visited, our system automatically collects data and information from the accessing computer’s system. The following data is collected:

  • Information on the browser type and version used
  • The user's operating system
  • The user's internet service provider
  • The user's IP address
  • Date and time of access

Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6 (1) (f) of the GDPR.

Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user’s IP address must be stored for the duration of the session.
This data is stored in log files to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our information technology systems. Data collected in this context is not analysed for marketing purposes.
Data processing for these purposes is also in our legitimate interest in accordance with Article 6 (1) (f) of the GDPR.

Storage period

The data will be erased as soon as it is no longer required to achieve the purpose for which it was collected. If data is collected for the provision of the website, this is the case when the respective session has ended.
Data stored in log files is erased after no more than then days. Storage for a longer period is possible. In such cases, the user’s IP address is erased or masked so that it can no longer be associated with the accessing client.

Possibility of objection and deletion

The collection of data for providing the website and storage of data in log files are absolutely necessary for operating the website. Consequently, there is no possibility for the user to object.

Use of Cookies

Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in or by the web browser on the user’s computer system. When a user calls up a website, a cookie can be stored on the user’s operating system. This cookie contains a distinct character sequence that allows unambiguous identification of the browser when the website is called up again.
We classify cookies into the following categories:

  • Necessary cookies (type 1) – These cookies are essential for websites and their functions to work properly. Without these cookies, services such as the registration of participants cannot be provided.

Legal basis for data processing

The legal basis for the processing of personal data using cookies is Article 6 (1) (f) of the GDPR; our legitimate interest is the technically error-free and optimised delivery of our website.

Purpose of data processing

Only technically necessary (‘type 1’) session cookies are used on this website. No analytics, advertising or social-media cookies are set.

Cookie name Purpose Type
PHPSESSID Identification of a user session 1
Converia_SID Identification of a front-end user 1

Storage period, possibility of objection and deletion

Cookies are stored on the user's computer and transmitted from there to our website. This means that you as user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for our website, it may no longer be possible to use all of the website’s functions in full.

Possibility of Objection / Deletion

You may delete your account at any time unless legal retention duties prevent us from doing so.

Obligation to Provide Data

The data marked as mandatory in the registration form are required to conclude the participation contract. Without them, registration and abstract submission cannot be completed. All other fields are voluntary.

Rights of Data Subjects

Should personal data concerning you be processed, this means that you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:

Right to information

You can request confirmation from the controller as to whether personal data concerning you is processed by us. If such processing has taken place, you can request the following information from the controller:

  1. (1) the purposes for which the personal data has been processed;
  2. (2) the categories of personal data that have been processed;
  3. (3) the recipients or categories of recipients to whom the personal data concerning you have been or are still being disclosed;
  4. (4) the planned duration of the storage of personal data concerning you or, if specific information on this is not available, the criteria for determining the storage period;
  5. (5) the existence of a right to rectification or deletion of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
  6. (6) the existence of a right to lodge a complaint with a supervisory authority;
  7. (7) any available information on the origin of the data, if the personal data were not collected from the data subject;
  8. (8) the existence of automated decision-making, including profiling in accordance with Article 22 (1) and (4) of the GDPR and – at least in these cases – meaningful information on the logic involved as well as the scope of such processing and its intended effects on the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you can request information on the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

Right to rectification

You have the right to request from the controller rectification and/or completion of the processed personal data concerning you, if this data is incorrect or incomplete. The controller must carry out the rectification without delay.

Right to restriction of processing

Under the following conditions, you can request that the processing of personal data concerning you be restricted:

  1. if you contest the accuracy of the personal data concerning you for a period that enables the controller to verify the accuracy of the personal data;
  2. if the processing is unlawful and you refuse deletion of the personal data and instead request that use of the personal data be restricted;
  3. if the controller no longer needs the personal data for the purposes of the processing, but you require them for establishing, exercising or defending legal claims; or
  4. if you have objected to processing pursuant to Article 21 (1) of the GDPR and it has not yet been established whether the legitimate reasons of the controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, such data shall – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing under the conditions specified above, you will be informed by the controller before the restriction of processing is lifted.

Right to erasure

a) Duty to erase
You may request the controller to erase the personal data relating to you without delay, in which case the controller is obliged to erase this data without delay if one of the following reasons applies:

  1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
  2. You withdraw your consent on which the processing was based in accordance with Article 6 (1) (a) or Article 9 (2) (a) of the GDPR, and there is no other legal basis for the processing.
  3. You object to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) of the GDPR.
  4. The personal data concerning you has been processed unlawfully.
  5. The personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  6. The personal data concerning you has been collected in relation to information society services offered pursuant to Article 8 (1) of the GDPR.

b) Information to third parties
Where the controller has made your personal data public and is obliged pursuant to Article 17 (1) of the GDPR to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who are processing your personal data that you, as the data subject, have requested the erasure by such controllers of any links to or copies or replications of this personal data.

c) Exceptions
There is no right to erasure to the extent that processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation according to which processing is required by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) and Article 9 (3) of the GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR, in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defence of legal claims.

Right to notification

If you have exercised your right to rectification or erasure of personal data or restriction of processing vis-à-vis the controller, the controller is obliged to communicate this to all recipients to whom your personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controller about these recipients.

Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit the data to another controller without hindrance from the controller to whom the personal data has been provided, as far as:

  1. the processing is based on consent pursuant to Article 6 (1) (a) of the GDPR or Article 9 (2) (a) of the GDPR or on a contract pursuant to Article 6 (1) (b) of the GDPR; and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others must not be affected by this.
The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object

You have the right to object at any time, on grounds relating to your particular situation, to any processing of your personal data pursuant to Article 6 (1) (e) or (f) of the GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of the personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
In the context of the use of information society services – and notwithstanding Directive 2002/58/EC – you may exercise your right to object by automated means using technical specifications.

Right to withdraw the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent will not affect the lawfulness of processing carried out on the basis of your consent before its withdrawal.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

Requests should be sent to fortee@unimedizin-mainz.de or the Data-Protection Officer named above.

Automated Decision-Making

No automated decision-making, including profiling within the meaning of Article 22 GDPR, does not take place.

International Data Transfers

No personal data is transferred to countries outside the European Union or the European Economic Area.

Payment-Service Privacy Information (Concardis)

In the area of card payments (debit/girocard/credit cards), we are cooperating with the Concardis GmbH (Concardis), Helfmann Park 7, D-65760 Eschborn, represented by its directors Jana Brendel and Carsten Höltkemeyer.
Within this scope, the purchase amount and date as well as card data will be transferred to the aforementioned company.
All payment data as well as data regarding any possible chargebacks will only be stored as long as they are needed for payment processing (including processing possible return debits and debt collection) and for anti-abuse provisions. As a rule, this data will be deleted no later than 13 months after its collection.
The data may be stored for a longer period of time if and as long as that is necessary in compliance with a statutory retention period or in order to prosecute a particular case of misuse. Article 6(1) lit. f GDPR serves as the legal basis for data processing.
You are entitled to obtain information regarding your stored data and, where applicable, have a right to have this data corrected or deleted. You may also demand a restricted processing of your data and/or, where applicable, object to the processing of your personal data. If you have any questions regarding Concardis’s data processing or asserting your aforementioned rights, please consult the data protection officer that can be contacted by post at the above address or by email at Datenschutzbeauftragter@concardis.com
Furthermore, you are entitled to make a complaint to the supervisory authority (the privacy and data protection representative of the federal state in Germany). We would like to point out that the provision of payment data is neither legally nor contractually required. In case you do not wish to provide your payment data, you may use another payment method (e.g. cash).

Updates to this Policy

We may update this privacy policy to reflect legal or technical changes. The current version is always available on the website.