General guidelines for the processing of personal data (structured and unstructured material)

We do not process or share sensitive information. Sensitive information is information that reveals race or ethnic origin, political opinion, religious or philosophical beliefs, union membership, health status, and sexual behavior and orientation. Certain statutory health records are removed when the need to process them disappears.

If a person’s name or image is published on a website, it will only take place if it is based on a legitimate interest or the person’s permission. Material that is considered offensive will be removed.

In e-mail correspondence, we assess whether there is a legal basis for storing contact information. We do not send sensitive, personal information via unsecured email. When we send email to many addresses at the same time, we hide the recipients.

We process personal information for as long as we have a legitimate reason to do so. The data will either be deleted or rendered anonymous when there is no need to retain it.

If personal information falls into the wrong hands, is altered or lost, the privacy of the individual may have been violated. This includes intentional and unintentional processing. Personal data breaches must be reported to the Data Protection Officer without delay (usually within 72 hours). The notification is made via the online service of the Office of the Data Protection Officer. The obligation to notify does not apply if the risk to the rights and freedoms of a natural person is unlikely. The principle of liability obliges the company to show that the risk of damage is unlikely. In the case of serious incidents, the persons to whose task it relates are notified.