The Institut für Diabetes-Technologie (IfDT) is a research institute, specialized on clinical research in the area of diabetes mellitus.

Our aim is to support and promote research and development of technologies in the area of diabetes. With our work we want to contribute to making life for people with diabetes easier. 

Data Privacy Policy

We are pleased about your visit to our website www.ifdt-ulm.de. This data privacy policy informs users about the nature, scope and purpose of the processing of personal data within this website and the associated websites, mobile applications and external online presences, such as social media profiles.

1. Responsible Party

IfDT - Institut für Diabetes-Technologie Forschungs- und Entwicklungsgesellschaft mbH
an der Universität Ulm
Lise-Meitner-Str. 8/2
89081 Ulm


Phone:     +49 731/509 90-0

Fax:         +49 731/509 90-22

E-Mail:     diabetes@ifdt-ulm.de

Website:   https://www.ifdt-ulm.de

Our data protection officer can be reached under datenschutz@ifdt-ulm.de.

2. Processing of personal data

2.1 What is personal data

Personal data means any information related to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, Article 4(1) GDPR.

2.2 Legal basis

The processing of personal data on this website is carried out in compliance with the relevant data protection regulations (in particular GDPR and BDSG) and on base of a legal permission.

Personal data are processed only:

  • with the consent of the user according to Art. 6 (1) p. 1 lit. a DSGVO
  • for the fulfillment of a contract or for the execution of pre-contractual measures according to Art. 6 (1) p. 1 lit. b DSGVO
  • for the fulfillment of legal obligations pursuant to Art. 6 (1) p. 1 lit. c DSGVO or
  • for the protection of legitimate interests of the responsible person according to Art. 6 (1) p. 1 lit. f DSGVO.

2.3 Disclosure of data

If personal data is passed on to other persons or companies in the course of processing, this will be done in compliance with the legal requirements and after completion of corresponding contracts or agreements.

2.4 Data processing in third countries

Should a transfer of personal data to a so-called "third country" (i.e. to a state outside the European Union or the European Economic Area) be mandatory, this will only take place if there is a recognized level of data protection or on the basis of special guarantees, certifications or binding internal data protection regulations within the meaning of Art. 44 - 49 GDPR.

2.5 Storage period

Unless otherwise stated in this data protection declaration, personal data will be deleted as soon as the purpose of processing is omitted or the consent on which the processing was based has been revoked. If legal retention obligations or limitation periods prevent deletion, the personal data concerned may only be processed for commercial or tax law purposes or for the purpose of asserting, exercising or defending legal claims.

2.6 Data subject rights

The user has the right to:

  • a confirmation whether own personal data are processed, to be informed about that data as well as to receive further information and a copy of that data, Art. 15 GDPR
  • Completion of own personal data or correction of incorrect own personal data, Art. 16 GDPR
  • Deletion of own personal data if there is a reason for deletion mentioned there, Art. 17 GDPR
  • Restriction of the processing of one's own personal data if there is a reason mentioned there, Art. 18 GDPR
  • Transfer of own personal data to another person responsible, Art. 20 GDPR
  • Complain to a regulatory authority if he/she considers that the processing of personal data concerning him/her violates applicable laws, Art. 77 GDPR

Responsible regulatory authority:

The state commissioner for data protection of Baden-Württemberg

Post box 10 29 32

70025 Stuttgart

Phone: 07 11/61 55 41–0

Fax: 07 11/61 55 41–15



The user has the right to revoke given consent with effect for the future at any time, Art. 7 (3) GDPR.

The user has the right to object at any time against the future processing of data concerning him/her in accordance with Art. 21 GDPR. The objection can be made in particular against the processing for purposes of direct advertising.

3. Processing of personal data on this website

Usually, users can use the website without providing any personal information. The exception to this is information that is automatically collected each time the website is accessed (so-called server log files). This includes:

  • Filename of the requested file
  • Terminal device used (mobile device or PC/laptop)
  • Browser type /-version
  • Javascript activation
  • Cookie activation
  • referring URL
  • IP-address
  • Duration of access
  • Number of pages accessed
  • Click path

The legal basis for the processing of personal data in this context is Art. 6 (1) p. 1 lit. f GDPR, as the possibility of technical management and ensuring the security of the website is in the legitimate interest of the responsible person. The purposes of the processing are to enable the use of the website (connection establishment), system security, technical administration of the network infrastructure and optimization of the website.

The stored data will be deleted after seven days unless there is a justified suspicion based on specific indications of unlawful use that makes further examination necessary. The responsible party is not able to identify users as data subjects based of the stored information.

For particular functionalities of the website it may exceptionally be necessary to provide personal information. Further information on this can be found under "Individual functionalities".

4. Cookies

The website uses cookies. Cookies are small files which are stored on the terminal device of the user (PC, smart phone). "Session cookies" are deleted again when the browser session is ended. Other cookies ("persistent cookies") are automatically deleted after a specified period of time, which may vary depending on the cookie.

Users can influence the use of cookies. Most browsers have an option that restricts or completely prevents the storage of cookies. In addition, users can delete cookies at any time in the security settings of their browser. Further information on this can be found at the Federal Office for Information Security.

Essential Cookies

These cookies are mandatory for websites and their functions to work properly. Without these cookies, certain functionalities cannot be provided.

The data processed by essential cookies are required for the purposes mentioned before to protect the legitimate interests of the responsible person according to Art. 6 (1) p. 1 lit. f GDPR.

Non- essential Cookies

These cookies enable

  • To improve the comfort and performance of websites, for example, to save language settings,
  • To collect information about how users use websites, for example, to identify particularly popular areas of the website
  • To track users' visits and activities on websites, for example, to show targeted advertisements and ads.

The processing of personal data by means of non-essential cookies may only be carried out for purposes mentioned before with the consent of the users according to Art. 6 (1) p. 1 lit. a GDPR

The responsible party currently uses the following cookies for the following purposes:


Description Cookie

Purpose and function of cookie

Expiration date


Opt-In Setting for Google Maps

7 days

5. Individual Functionalities

The functionalities used on the website are operated on the basis of the user's consent according to Art. 6 (1) p. 1 lit. a GDPR or on the basis of the legitimate interest of the responsible party according to Art. 6 (1) p.1 lit. f GPDR. A possibly existing legitimate interest of the responsible party, the purpose of the data processing and the categories of personal data are described in the context of the respective functionality.

5.1 Google Maps

The website uses the map service Google Maps of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (subsequently referred to as "Google"). This allows interactive maps to be displayed directly on the website and enables the user to use the map function conveniently.

In this context, it is necessary to store the IP address of the user. The information obtained through this is usually transferred to a Google server outside the EU and stored there. This occurs regardless of whether the user is logged into his/her Google account or not. Google stores the user data as usage profiles and uses them for the purposes of advertising, market research and/or the customized design of the website.

If the user is logged into his/her Google account, the data will be assigned to the corresponding account. An assignment can be prevented by the user logging out of his Google account beforehand.

Google's privacy policy can be accessed at https://policies.google.com/privacy.

5.2 Matomo

This website uses the open source range analysis service Matomo (formerly Piwik) for statistical analysis of user behavior and to improve usability.

Matomo is hosted on the server of the responsible party; personal data is not passed on to third parties. When using Matomo, no cookies are used; as a result, individual users cannot be distinguished from one another and returning users cannot be identified. To ensure the protection of users' personal data, the person responsible for the website has activated the so-called "IP anonymization". This means that IP addresses of users are only processed in shortened form - i.e. anonymized.

If users do not wish to be tracked when visiting the website, the "Do Not Track" function can be activated in the browser; Matomo will then not collect any data.

Further information on data protection at Matomo is available at: https://matomo.org/privacy.

5.3 Telephone conferences, online meetings, video conferences and/or webinars

For telephone conferences, online meetings and/or video conferences, the responsible party uses "Zoom", a service provided by Zoom Video Communications, Inc, 6601 College Blvd, Overland Park, KS 66210, USA (subsequently referred to as "Zoom").

The processing of personal data is carried out on the basis of the legitimate interest of the responsible party according to Art. 6 (1) lit. f GDPR in the effective implementation of telephone conferences, online meetings and/or video conferences. As far as personal data is processed by employees of the responsible person, § 26 GDPR is the legal base for the data processing.

Participation in telephone conferences, online meetings and/or video conferences can be done via the respective app as well as via the respective browser-based version.

We would like to point out that the use of the browser-based versions is generally more privacy-friendly than the use of the app-based versions. The scope of the personal data processed is depending on the information users provide before or during participation in a telephone conference, online meeting, video conference and/or webinars.

The following personal data may be processed:

  • User details: first name, last name, phone (optional), email address, password (optional), profile picture (optional), department (optional).
  • Meeting metadata: Topic, description (optional), participants‘ IP addresses, device/hardware information.
  • When dialing in via telephone: incoming and outgoing call number, country name, start and end time, possibly further connection data such as the IP address of the device.
  • Text, video and audio data: Users may have the option to use the chat function during conference calls, online meetings, video conferences and/or webinars. Text entries made by the user are processed in order to display them. In order to enable the display of video and the playback of audio, the data from the microphone of the terminal device as well as from the video camera of the terminal device are processed accordingly during the duration of the meeting. Users can turn off the camera or mute the microphone themselves at any time.

Telephone conferences, online meetings, video conferences and/or webinars are not recorded. Chat content is not logged. If users are registered as users at "Zoom", then reports of telephone conferences, online meetings and/or video conferences can be stored at "Zoom" for up to 12 months.

An adequate level of data protection is guaranteed by the conclusion of the so-called EU standard contractual clauses. As supplementary protective measures, the responsible party has configured the application as strictly as possible from a data protection perspective.

Zoom's privacy policy is available at: https://explore.zoom.us/de/privacy.

5.4 Making contact

When contacting the responsible party (for example, by e-mail or by contact form), the information of the requesting user is processed to the extent necessary to respond to the contact request and any measures requested.

The processing of personal data is carried out on the basis of the legitimate interest of the responsible party according to Art. 6 (1) lit. f GDPR in responding to requests.

The data provided by the requesting user in the course of contacting us will only be passed on with the user's consent in accordance with Art. 6 (1) lit. a GDPR.

6. Additional Data processing

6. Additional Data processing

6.1 Contractual Relationships

The processing of personal data, contract data and payment data is necessary for the establishment and/or implementation of contractual relationships with customers.

The legal basis for the processing is Art. 6 (1) p. 1 lit. f GDPR.

The responsible party processes customer and prospective customer data for evaluation and marketing purposes. The legal basis for the processing is Art. 6 (1) 1p 1 lit f GDPR.

The processing serves the legitimate interest of the responsible party to further develop the range of services and to provide targeted information about this.

Further processing of personal data only takes place based on consent within the meaning of  Art. 6 (1) p. 1 lit. a GDPR or in the context of the fulfillment of legal obligations within the meaning of Art. 6 (1) p. 1 lit. c GDPR.

6.2 Study Participation

The responsible party conducts clinical study with objects for which the processing of personal (health) data is required. Type and amount of processed personal (health) data varies depending on the type and focus of the respective study.

Participation in studies is voluntary and takes place based on consent within the meaning of  Art. 6 (1) p. 1 lit. a GDPR. Consent to study participation can be revoked at any time without giving reasons and without any adverse consequences for the study participants. If consent is revoked, personal data of study participants will no longer be processed and all personal data stored up to that point will be deleted, provided that there are no legal retention obligations to the contrary.

For the initial collection of personal (health) data, the responsible party uses questionaires which are provided as a download in digital form over the website of the responsible party among other places. 

We would like to point out that communication by unencrypted e-mail involves the risk that transmitted data can be viewed by third parties. To avoid risks and protect personal (health) data as best as possible, we recommend sending completed questionnaires exclusively by mail.

The personal (health) data collected in the course of studies are stored on the server of the responsible party. Furthermore, a patient file is created. All persons who have access to personal (health) data are subject to medical confidentiality.

6.3 Emloyment relationships

The website offers applicants the possibily to appy at the responsible party via e-mail or mail. In this process personal data which is connected to the specific application e.g., general personal data, information on schooling, vocational training and continuing education, as well as other information that applicants submit gets processed.

The responsible party processes personal data for the purpose of carrying out the application procedure as well as the settlement of the employment relationship, if such a relationship is established, on the basis of Art. 88 GDPR in conjunction with. § 26 (1,8) p.2 GDPR.

Furthermore, personal data may be processed if this is necessary for the fulfillment of legal obligations (Art. 6(1) lit. c DSGVO) or for the defense of asserted legal claims against the responsible party (Art. 6(1) lit. f DSGVO). The legitimate interest is, for example, a duty of proof in proceedings under the General Act on Equal Treatment (AGG)

Personal data is stored for the purposes mentioned above for as long as is necessary to fulfill these purposes. For the purpose of defending asserted legal claims from the application process against the responsible party, personal data will be stored for a maximum of 6 months and deleted afterwards.

If no employment relationship is currently considered, it is possible to include the application in an applicant pool. In case of acceptance, all documents and information from the application will be transferred to the applicant pool in order to contact applicants in case of suitable vacancies. The inclusion in the applicant pool only follows based on consent within the meaning of Art. 6 (1) p. 1 lit. a GDPR. The submission of consent is voluntary and is not related to the current application process. The applicant may revoke his or her consent at any time. In this case, the data will be deleted from the applicant pool, unless there are legal reasons for retention. The data from the applicant pool will be stored for a maximum of 2 years and deleted afterwards.

The provision of personal data in the context of application procedures is neither legally nor contractually required. Applicants are therefore not obliged to provide any information. However, the provision of personal data is necessary for the decision on an application or the conclusion of a contract in relation to an employment relationship.

As far as applicants do not provide any personal data, the person responsible cannot make a decision on the establishment of an employment relationship. It is recommended to only provide personal data as part of the application that is required in this context.



7. Security of processing

The website uses the TLS-process (Transport Layer Security) in connection with the highest encryption level supported by the browser used. Whether an individual web page of the website is transmitted in encrypted form can be recognized in the address bar of the browser by the prefix https:// and/or the closed padlock symbol.

The responsible person uses technical and organizational security measures to protect the personal data managed by them against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. Security measures are continuously improved in line with technological developments.

8. Validity and actuality of the privacy policy

The privacy police is currently valid and dated february 10th, 2023.

Due to ongoing legal and technical developments, the responsible party reserves the right to update this privacy policy at any time.

To improve the reader-friendliness of our website, we use the generic masculine. In the context of equal treatment, we would like to point out that the content of our website is aimed at all genders and does not contain any valuation.