Skip to main content

Data Privacy

IBDIM - PRIVACY POLICY ACCORDING TO GDPR

Version January 2026

In this privacy policy, we explain all processing activities of IBDIM – IBD in Motion GmbH (IBDIM), the Research Unit of ECCO (European Crohn’s and Colitis Organisation), with its registered seat in 1030 Wien, Ungargasse 6/13.

1. Purpose, Legal Basis and Data Subject Groups

IBDIM solely processes your personal data for the purpose of its core business unit functions of contractual administration and the handling of its own finances. The legal basis for these activities is the individual contractual relationships with the signing partners – including the personal data of:

    • IBDIM employees and applicants
    • IBDIM Advisory Board Members (i.e. UR-CARE Steering Committee)
    • employees of funding partners
    • supplier companies and their employees
    • employees of organisations signing UR-CARE contracts and contractual partners of these organisations working in UR-CARE: including site administrators and study group data managers
    • employees of organisations signing contracts for projects to be hosted in broader UR-CARE environment and contractual partners of these organisations: including site administrators
    • stakeholders interested in UR-CARE
  • In addition to the contractual administration, IBDIM facilitates the communication among its stakeholders by informing the UR-CARE users and other project participants registered in the broader UR-CARE environment of relevant research projects in the field of IBD based on legitimate interest.
  • For promotional purposes of successful patient recruitment for UR-CARE (Top Recruiter Certificate initiative), IBDIM handles personal information of the site-administrators of organisations signing UR-CARE contracts based on legitimate interest. In addition, data subjects (including those involved in projects to be hosted in broader UR-CARE environment, e.g.: E-QUALITY project) can consent to receiving a promotional eNewsletter.
  • In case of open positions in IBDIM or positions in research projects, IBDIM collects applications in reply to open calls and manages the according selection and notification process. This processing activity takes place on a pre-contractual basis according to Art 6 para 1 lit b GDPR.
  • Based on its legitimate interest as business unit, IBDIM is also conducting statistical analyses and reports.

2. Categories of data processed & data storage time:

  • Contact details such as first name, last name, affiliation, email, country
  • Contract details of suppliers
  • Bank transfer and reimbursement data, invoicing data, pseudonymised Credit Card data
  • Applications to open calls and project participation(s)
  • The application process generates a ranking result which is kept confidential within ECCO Office archives. 

IBDIM of course also observes the principle of storage limitation for personal data and will process the above listed data until withdrawal of consent, but not longer than for 7 years.

a. Data recipients:

IBDIM has contracted Persei as specialised e-Health company to implement and host the UR-CARE Platform of IBDIM based on a processor contract.

Based on the Standard Clauses signed with Persei, IBDIM agreed that Persei is relying on the following companies in the UR-CARE project processing:

    • AWS (via Persei as UR-CARE Project Management support)
    • Microsoft Azure
    • Soho Platform
    • Mailchimp (UR-CARE eNewsletter distribution via Persei )
  • ECCO Office is run by OCEAiN GmbH, the sister business unit of IBDIM and the infrastructure business unit of ECCO.

For the overall, IBDIM infrastructure support, ECCO Office is contracted as processor and uses, where relevant, the same suppliers and solutions as for the ECCO IT Hub (https://www.ecco-ibd.eu/data-privacy-statement.html ). 

In order to adequately fulfil the intended purposes listed above, ECCO IT Hub contracts primarily data processors based in the European Union – including but not limited to:

A. EU/EEA recipients and sub-processors:

Recipient Purpose Location
1. COVR/Netropolix https://www.netropolix.be/ customer management system of the ECCO Database Belgium
2. SOL4 https://www.sol4.at/ ECCO Website Support Austria
3. Matomo Analytics https://matomo.org/ Website Statistics
4. EU server providers & local IT support Austria, Germany and Switzerland
5. Conference Compass https://www.conferencecompass.com/ ECCO App software including ECCO Congress onsite voting Netherlands
6. Rapidmail https://www.rapidmail.de ECCO eNewsletter distribution Germany
7. PAYONE https://www.payone.com/DE-en ePayment system on the ECCO Website Austria and Germany
8. BMD / Finmactics https://www.bmd.com as bookkeeping system Austria
9. Tax advisor & bank Tax advising & banking Austria & branch of respective congress destination
10. Hotel Venues For meeting arrangements Austria & branch of respective meeting destination

B. Non-EU/EEA sub-processors

Sub-processor Purpose Location
11. Zoom https://www.zoom.us/ As online back-end for ECCO Congress Speakers in case of virtual solution. USA: In the event of such a transfer, we rely on the adequacy decision of the European Commission (Art 45 GDPR). The certification under the DPF can be found here: https://www.dataprivacyframework.gov/list.
12. Docusign https://www.docusign.com/de-de/datenschutzerklaerung/datenschutz/ As electronic signature tool USA: In the event of such a transfer, the MASTER Agreement on legal law enforcement of DocuSign applies. https://www.docusign.com/en-ca/blog/eu-us-privacy-shield-ends-canada-keeps-adequacy-status.

b. Data processing to assert legal claims and conduct proceedings before authorities (including courts)

  • Data categories, purposes and legal bases

IBDIM may also process your data for the purpose of asserting, exercising or defending legal claims and for handling proceedings before authorities (including courts) to protect its legitimate interest (Article 6 (1) (f) GDPR). This legitimate interest lies in enforcing existing and defending against non-existent claims as well as in handling official (including judicial) proceedings to protect the legal position of IBDIM .  For this purpose, we also store your consent as outlined above in Section 2 to protect this legitimate interest in proving your consent, i.e. to defend legal claims. In order to assert legal claims and to carry out proceedings before authorities (including courts), IBDIM processes all categories of data that are necessary for this. This potentially includes all categories of data from you that is already processed for other purposes as well as data that IBDIM does not collect from you (see Section b in detail). 

  • Collection of data from other sources (information in accordance with Art. 14 GDPR)

For the purpose of asserting, exercising or defending legal claims and conducting proceedings before authorities (including courts), we also collect your data from other sources: 

Data category: contact details – publically accessible Source: Website of organisation Purpose: extrajudicial contact, provision of contact details to authorities (including courts)  

Data category: data retrieved form public registers, mainly contact details of and roles in a legal entity, data of running or closed proceedings Source: commercial registers, association registers, land title registers, executive registers

Purpose: to assert legal claims and conduct proceedings before authorities (including courts)

  • Storage period, processing period

IBDIM processes data required to assert legal claims for this purpose for up to 30 years after the end of the business relationship. In the event of official or judicial proceedings, IBDIM will store your data for the duration of these proceedings and, depending on the subject matter and outcome of the proceedings, for up to a further 30 years from the final conclusion of the proceedings. In the event that data subjects' rights are asserted under the GDPR (see point 6 for details), we store the associated data for three years from the last contact in connection with the assertion of a data subject's rights.  

  • Recipients of data

In order to assert, exercise or defend legal claims and to handle official (including judicial) proceedings, it is necessary that we disclose your data to the following recipients for the following purposes. This disclosure may be made by transmission, distribution or other form of delivery. 

Recepient: Christely
Data categories: access to all data of ECCO IT Hub necessary for remote support
Purpose: IT Remote Support
Legal Basis :  No legal basis is required as there is an order processing relationship
Registered Seat: Austria
Basis for transfer to 3rd country: no

Recepient: Lawyers and Tax Advisors
Data categories: all data necessary to establish compliance with legal obligations and for defence in court
Purpose: Evaluating and establishing compliance with legal obligations
Legal Basis: legitimate interest (Art 6 Abs 1 lit f DSGVO)
Registered Seat: Austria or EU
Basis for transfer to 3rd country: Art. 49 (1) e

Recepient: Insurance companies
Data categories: all data necessary to process insurance claims
Purpose:  Processing of claims
Legal Basis: legitimate interest (Art 6 Abs 1 lit f DSGVO)
Registered Seat: Austria or EU
Basis for transfer to 3rd country: Art. 49 (1) e

Recepient: Authorities (including courts)
Data categories: all data necessary to establish compliance with legal obligations and for defence in court and in front of authorities
Purpose: Handling of proceedings and legal disputes
Legal Basis: Not required as recipient is located within the EEA.
Registered Seat: Austria or EU
Basis for transfer to 3rd country: Art. 49 (1) e

3. Your rights as data subject:

Should you be affected by our processing of personal data, you have the right at any time to request access to rectification, or erasure of personal data, or restriction of the processing concerning your personal data or to object to processing as well as the right to data portability.

You may withdraw your consent regarding consent based data at any time.

Your personal data will not be subject to further processing in a way and manner that are incompatible with the intended purposes listed above.

According to Art. 13 (2) e GDPR, you are not obliged to agree to the processing of your data. However, please also note

  • that in case of the withdrawal of consent you will not be able to benefit or use all services offered by IBDIM;
  • that in case of disagreement with the processing of necessary data for (pre-) contractual obligations, the business transaction cannot be implemented.

Please note that the withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal, and that in certain circumstances IBDIM is entitled or else required to process certain forms of personal data for a period extending beyond the withdrawal of consent, either due to our contractual relationship with you, or else due to legal requirements.

As a data subject, you can address the contact point and data protection officers indicated as well as the data protection authority indicated below.

In case you believe that the processing of your personal data does not comply with the provisions of data protection, you can – other legal remedies in law courts or under administrative law notwithstanding – make a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. In Austria, the supervisory authority is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

4. CONTACT POINT ACCORDING TO ARTICLE 13 GDPR

ECCO Office
Ungargasse 6/13, A-1030 Vienna, Austria
Tel: +43-(0)1-710 2242-0
E-Mail: ecco@ecco-ibd.eu or ecco-congress@ecco-ibd.eu

5. DATA PROTECTION OFFICER ACCORDING TO ARTICLE 37 GDPR

Dr. Lisa-Maria Fidesser, Rechtsanwältin
Wildpretmarkt 1, 1010 Vienna, Austria
Tel: +43 1 533 25 13
E-Mail: lisa@fidesser.com,
Web: www.fidesser.com