I. Who is responsible for the data processing and who is the data protection officer?

1. The controller for the processing of your personal data is:

• Deutsche Forschungsgemeinschaft e. V. (DFG)
  Kennedyallee 40
  53175 Bonn
  Germany
  Tel. +49 0228 885-1
  postmaster@dfg.de
  www.dfg.de/en

2. You can contact our data protection officer as follows:

• Attorney-at-law Dr. Karsten Kinast, LL.M.
  KINAST Rechtsanwaltsgesellschaft mbH
  Hohenzollernring 54
  50672 Köln
  Germany
  Tel. +49 221 222 1830
  mail@kinast.eu
  www.kinast.eu/en

II. What is the subject matter of data protection?

The subject matter of data protection is personal data. This is all information which relates to an identified or identifiable natural person (so-called data subject). For example, this includes information such as name, postal address, email address or telephone number.

III. What personal data relating to me will be processed?

Within the framework of your work as a committee member of the DFG, we only process such personal data relating to you which is connected to your work as a committee member.

Specifically, this may include:

• Contact information, including your name, e-mail address, telephone number and postal address
• Name of your institution
• Date of birth
• Gender
• Details of attendances and absences
• Details of academic career
• Duration of membership in DFG bodies
• Compilation of academic publications
• Academic functions and tasks
• Other data relating to voluntary work and career details (e.g. information on special merits in connection with voluntary activity).
• Other functions and work relating to the tasks of the body in question
• Image recordings, where relevant
• Investigations and, where relevant, so-called measures in accordance with the DFG Rules of Procedure for Dealing with Scientific Misconduct
• Voting rights, voting behaviour, overall voting result for votes at virtual meetings
• Payment details (IBAN, bank, invoice data etc.)
• Special categories of data such as health data (see Section IV.).

IV. What are the purposes of the processing of my personal data and on what legal basis does this take place?

Below, we wish to provide you with an overview of the purposes and legal basis of the processing of your personal data in connection with your work as a committee member at the DFG:

1. Data processing for the purposes of contract fulfilment and compliance with reporting obligations

We process your personal data for the preparation and performance of activities as a committee member of the DFG. The purposes depend on your specific tasks as a member of the committee in question and, should the activities also represent at least part of your work duties, also on the contract with your employer, and include the following in particular:

• Communication with you
• If applicable, publication of your membership of a committee on the website of the DFG or in other publication formats (for example brochures, DFG publications)
• Assessing conflicts of interest and conflicts of office in relation to your work on the committee
• Evaluation of suitability and formal requirements for participation in DFG committees and carrying out of selection processes
• Assignment of specific tasks within the committee
• Reporting obligations of the DFG in relation to donors and other auditors
• Documentation of task fulfilment (for example records of processes or results) in relation to committee work
• Billing of travel expenses
• Handling of virtual voting in connection with virtual meetings
• Investigations and so-called measures in accordance with the DFG Rules of Procedure for Dealing with Scientific Misconduct
• Assessment of allegations of discrimination against the DFG with regard to the formally correct procedure for processing proposals (for example, in accordance with the “General Guidelines for Reviews” and the Framework Rules of Procedure for Review Boards).

The data processing takes place in accordance with point (b) of Article 6 Paragraph 1 GDPR. In addition, data processing by the DFG takes place for purposes connected to the reporting obligations vis-à-vis the donors of the DFG, also in accordance with point (c) of Article 6 Paragraph 1 GDPR. Furthermore, data processing is carried out based on consent pursuant to point (a) of Article 9 Paragraph 2 GDPR when processing special categories of personal data.

We erase the data once it is no longer necessary for the purposes pursued by us within the framework of the activities as a DFG committee member and provided that no other legal requirements, in particular statutory or contractual retention periods, apply.

2. Fulfilment of other legal obligations

Under certain circumstances, we will also process your personal data in order to comply with legal obligations, for example under commercial, tax, financial or criminal law. In such a case, the purposes of the processing are determined by the legal obligation. As a rule, the processing takes place in order to comply with state monitoring and information obligations.

To this extent, the data is processed in accordance with point (c) of Article 6 Paragraph 1 GDPR.

We will erase the data once the legal obligation no longer applies and provided that no other legal requirements, in particular statutory or contractual retention periods, apply.

3. Processing in order to safeguard legitimate interests

Where necessary, we also process your personal data in order to safeguard our legitimate interests. We will only process your personal data if this is compatible with your basic rights and freedoms.

This may be applicable in the following cases:

• Protection and security of IT resources
• Safeguarding of our domiciliary rights
• Inclusion in the institutional archive relating to the development of the German Research Foundation (DFG)
• Processing for statistical purposes for the development of DFG committee work
• Personal data is processed in connection with the carrying out of procedures in accordance with the Rules of Procedure for Dealing with Scientific Misconduct (Number III.3.c VerfOwF, Number III.3.d VerfOwF). As committee members are also obliged to comply with the standards of good scientific practice, relevant procedures are also conceivable in connection with committee activities.
• For the purpose of scientific exchange or networking, personal data is processed for the organisation of review meetings.
• In the case of consortium proposals, the spokespersons of the consortium also receive information on the composition of the review group in advance of the review meeting in order to rule out any conflicts of interest and for the purpose of organising on-site reviews. In this respect, the review takes place – as a rule – in a joint meeting with the applicants and members of the review group as well as any rapporteurs involved.
• Assessment of allegations of discrimination against the DFG with regard to the formally correct procedure for processing applications (in particular based on § 12 General Equality Treatment Act (AGG) and in accordance with the DFG’s internal guidelines).
• Requests to the DFG for the conferment of orders of merit/other awards to committee members.

To this extent, data processing takes place in accordance with point (f) of Article 6 Paragraph 1 GDPR. Here, our legitimate interests consist in pursuing these aims.

We will erase the data once it is no longer necessary for the purposes being pursued by us and provided that no other legal requirements apply.

4. Processing based on your consent

In individual cases, we also process your personal data based on a declaration of consent which you have submitted. In such a case, the purpose of the processing is contained in the content of the declaration of consent. Data processing is carried out based on point (a) of Article 6 Paragraph 1 GDPR or based on point (a) of Article 9 Paragraph 2 GDPR in the event of special categories of personal data being processed.

Consent can be withdrawn at any time. Please also note that this withdrawal shall only apply with future effect, meaning the lawfulness of the data processing which took place with your consent prior to withdrawing remains unaffected.

We will erase your data once the storage period specified in the consent has expired or should you have withdrawn your consent and no other legal basis is present. Should the latter situation apply, we erase the data once the other legal basis is no longer applicable.

V. Will my personal data also be collected from third parties?

We primarily process the personal data which we receive from you directly in connection with your work as a committee member at the DFG. In a few cases, we also obtain your personal data from third parties, for example:

• from your institution / employer, scientific associations or other third parties (in particular in case of proposals for election to DFG committees),
• from third parties in relation to any information concerning bias (we generally obtain such information from applicants or other persons involved in the review process),
• from publicly accessible sources (in particular scientific platforms such as ResearchGate or searchable databases such as PubMed or Web of Science).

If necessary, we will provide you with more precise information about the above in separate form.

VI. Does automated decision-making or profiling take place?

We do not use automated decision-making or profiling in accordance with Article 22 GDPR.

VII. Am I required to provide my personal data?

In connection with your work as a committee member, you are required to provide the personal data which is necessary for the preparation and performance of the activities as a committee member and to fulfil the associated contractual or legal obligations or which we are legally obliged to process. Without this data, you may not be able to carry out the committee work.

VIII. Who has access to my personal data and which recipients obtain it?

Within the DFG Head Office, only those employees who strictly require your personal data in order to carry out their functions or tasks have access to it.

We only pass your personal data on to external recipients if a legal basis exists for this or if you have given your consent to such. Possible external recipients include:

• Processors: Service providers who are used by us to provide personnel services or in connection with the use of virtual voting tools or who are involved in the maintenance of our IT systems, for example. These processors are carefully selected by us and are regularly audited in order to ensure that your personal data remains protected. The service providers may only process your personal data for the purposes stated by us.
• Public bodies: Authorities and state institutions, for example public prosecutor's offices, courts or financial authorities, as well as public donors to the DFG to whom we may be required to provide personal data in individual cases. In the case of requests for the conferment of orders of merit/other awards, the DFG discloses personal data to public authorities.
• Academic institutions: If necessary, your data is passed on to academic institutions at their request, insofar as your expertise falls within the requested subject of consultation. In connection with taking on administrative tasks for Senate Commissions by institutions entitled to submit proposals (e.g. universities), your data is passed on to these institutions to the extent necessary.
• Other participants in the decision-making process for funding proposals:
  • Participating reviewers or review board members receive lists with personal data prior to or after a review meeting for the purpose of academic exchange or networking.
  • The DFG provides these consortia spokespersons with information on the members of the review group in advance of the review meeting in order to rule out any conflicts of interest and for the purpose of organising on-site reviews. In this respect, the review takes place – as a rule – in a joint meeting with the applicants and members of the review group as well as any rapporteurs involved.
• Institution / employer where you are employed: If a procedure has been initiated against you regarding an allegation of scientific misconduct, personal data is disclosed following the conclusion of investigations if there is a legitimate interest and in accordance with the Rules of Procedure for Dealing with Scientific Misconduct. This applies in particular to the institution / employer for which you work.

IX. Will my personal data be transferred to third countries?

Within the framework of the work as a committee member, your personal data will, in individual cases, be transferred to bodies whose headquarters or data processing location is not in a Member State of the European Union or another Member State of the European Economic Area. In such a case, prior to the transfer, we ensure that either an adequate level of data protection exists (for example by means of an adequacy decision of the European Commission, suitable guarantees, such as the agreement of so-called EU standard data protection clauses of the European Commission with the recipient) or you have given your express consent, with the exception of exemption cases which are permitted by law.

X. For how long will my data be stored?

Please see the relevant section concerning data processing under Number IV. in order to find out for how long your personal data is stored.

XI. What are my rights as a data subject?

You are entitled to the following rights in connection with the processing of your personal data:

1. Right of access

You have the right to receive confirmation from us as to whether we process personal data relating to you or not. Should this be the case, you have the right to receive information concerning your personal data and to receive further details concerning the processing.

2. Right to rectification

You have the right to request the rectification of incorrect personal data relating to you and to have incomplete personal data completed.

3. Right to erasure (“right to be forgotten”)

Under certain circumstances, you have the right to request that we erase your personal data. For example, this right exists if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed or if the personal data was processed unlawfully.

4. Restriction of processing

Under certain circumstances, you have the right to request that the processing of your personal data be restricted. In such a case, we will only store such personal data in relation to which you have given your consent or processing is permitted by the GDPR. For example, you may have a right to restrict processing if you have disputed the correctness of your personal data.

5. Data portability

Should you have provided us with personal data under a contract or with your consent, then provided that the statutory requirements are met, you can request to receive the data which you have provided in a structured, commonly used and machine-readable format or request that we transfer this data to another controller.

6. Withdrawal of consent

Should you have given us your consent to the processing of your personal data, you can withdraw this at any time with effect for the future. The lawfulness of the processing of your personal data prior to the withdrawal remains unaffected by this.

7. Objection against processing on the basis of a “legitimate interest”

8. Right to complain to the supervisory authority

You also have the right to lodge a complaint with the responsible supervisory authority, should you consider that the processing of your data breaches applicable laws. For this purpose, you can contact the data protection authority which is responsible for your place of residence, place of employment or the location of the alleged breach or the data protection authority which has jurisdiction over us. The supervisory authority of the German Federal State in which you reside or work or where an alleged breach which forms the subject of the complaint has taken place holds jurisdiction.

XII. Who can I contact if I have any questions or wish to assert my rights as a data subject?

Should you have any questions concerning the processing of your personal data or should you wish to assert your rights as a data subject which are set out in Number XI., 1-7, you can contact us free of charge. Please use the contact details under Number I., 1. To withdraw your consent, you can also use the contact channel which you selected when submitting the declaration of consent.

¹ This information applies to all members and (permanent) guests of organs of the DFG and its sub-organisations. It also applies to members and (permanent) guests of other work groups who work for the DFG and provide professional expertise, even if such activities take place outside of the association structure.