DATA PROTECTION

FEMclub – Female Excellence in Medicine – Association for the Advancement of Women in Medicine (hereinafter referred to as FEMclub) guarantees that it will only collect and use personal data of its members that is necessary for member support and administration as well as for pursuing the association’s objectives. The data collected and stored by FEMclub for the establishment, implementation, and termination of membership as defined by the statutes and the purpose of the association includes personal information (name, address, date of birth, email address, telephone/fax number) and any other data necessary for the type of membership [professional affiliation, educational status, payment information, position] – see membership form.

In accordance with the GDPR, every member has the right to information about the data stored about them. The FEMclub processes and stores the personal data provided only for as long as this is necessary to fulfill the aforementioned purposes. Once the purpose has been fulfilled and the statutory retention obligations have expired, this data will be deleted. Each member has the right to correct their data, revoke their consent, or delete personal data, provided that this does not conflict with the purpose of the association as set out in the association’s statutes.

FEMclub collects and stores this data using data processing systems (EDP) for the fulfillment of its statutory purposes and tasks in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and has implemented appropriate technical and organizational measures to ensure that no unauthorized access to (or unlawful processing of) the data provided takes place.

Insofar as this is necessary for the fulfillment of the contract or justified within the scope of the legitimate interests of the FEMclub, personal data will also be transferred to processors (service providers) employed by the FEMclub, provided that they comply with the data protection requirements specified in writing by the FEMclub and undertake to maintain confidentiality towards the FEMclub. For this purpose, a data processing agreement is concluded with the service providers employed. Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the performance of the contract.

If you have any concerns or questions regarding data protection at FEMclub, please contact the secretariat: femclub@wma.co.at, Secretariat FEMclub, c/o WMA, Alser Straße 4, 1090 Vienna.

Legal basis for data processing

Associations may collect, process, store, and transfer personal data of their members on the basis of Art. 6 GDPR. The legal basis for this is often the membership agreement together with the association’s statutes. The sending of newsletters or the publication of personal information on the association’s website requires the consent of the members concerned in order to achieve the association’s purpose.

Art. 6 GDPR Lawfulness of processing

Lawfulness of processing

(1) Processing shall be lawful only if at least one of the following conditions is met:

a) The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;

b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Paragraph 1(f) shall not apply to processing carried out by public authorities in the performance of their tasks.

(2) Member States may maintain or introduce more specific provisions to adapt the application of the provisions of this Regulation with regard to processing for the purposes of paragraph 1(c) and (e) by specifying further requirements for processing and other measures to ensure lawful and fair processing, including for other specific processing situations referred to in Chapter IX.

(3) The legal basis for processing pursuant to paragraph 1(c) and (e) shall be laid down by

(a) Union law; or

(b) the law of the Member State to which the controller is subject.

The purpose of the processing must be laid down in that legal basis or, with regard to processing pursuant to paragraph 1(e), be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions adapting the application of the provisions of this Regulation, including provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the persons affected, the entities to which personal data may be disclosed and the purposes for which they may be disclosed, the purpose limitation, how long they may be stored, and the processing operations and procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations in accordance with Chapter IX. Union law or the law of the Member States must pursue an objective of public interest and be proportionate to the legitimate aim pursued.

(4) Where processing for a purpose other than that for which the personal data have been collected is not based on the consent of the data subject or on a provision of Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), in order to determine whether processing for another purpose is compatible with the purpose for which the personal data were originally collected, the controller shall take into account, among other things

a) any relationship between the purposes for which the personal data were collected and the purposes of the intended further processing;

b) the context in which the personal data were collected, in particular the relationship between the data subjects and the controller;

c) the nature of the personal data, in particular whether special categories of personal data pursuant to Article 9 are processed or whether personal data relating to criminal convictions and offenses pursuant to Article 10 are processed,

d) the possible consequences of the intended further processing for the data subjects,

e) the existence of appropriate safeguards, which may include encryption or pseudonymization.