EFR Congress 2026

Privacy Policy

Data protection information
Information on data processing in accordance with Articles 12 to 14 GDPR

Controller
The association is the controller responsible for the processing of personal data in accordance with Art. 4(7) GDPR:

EFR
Hohe Warte 56
1190 Vienna, Austria
efr@congressorganisation.at
www.efrcancer.org
ZVR: 234072184

Personal data
EFR processes the following categories of personal data

Full name
Organization for which the association member works
Title/gender
Date of birth
Addresses
Telephone and fax numbers
Email addresses
Occupation
Awards and honors
Interests and areas of expertise disclosed by the member
Activities relevant to the association's purpose, in particular participation in events, membership in committees, working groups, publications for the association, lectures, participation in arbitration proceedings
Information regarding the use of the association's services
Information on the initiation, content, and fulfillment of legal transactions
Payments or other services provided by the association to the member
Correspondence content
Bank details

From association officials

Full name
Title/gender
Date of birth
Mailing address in connection with the position
Telephone and fax numbers
Email addresses
Photos
Position within the association
Start and end of the position
Payment obligations of the official to the association
Payments or other benefits from the association to the official
Awards and honors
Correspondence content

From third parties who use the association's services

Full name
Name of the organization for which the third party works
Title / gender
Date of birth (if necessary for identification purposes)
Addresses
Telephone and fax numbers
Email addresses
Occupation
Interests and areas of expertise disclosed by the data subject
Participation in events organized by the association
Use of services provided by the association
Information on the initiation, content, and fulfillment of legal transactions
Correspondence content
Bank details

From third parties who provide services for the association

Full name
Name of the organization for which the third party works
Title/gender
Date of birth (if necessary for identification purposes)
Addresses
Telephone and fax numbers
Email addresses
Sales tax identification number
Social security number
Tax number
Occupation or industry (as specified by the data subject)
Interests and areas of expertise disclosed by the data subject
Participation in association events
Services provided by the data subject to the association
Information on the initiation, content, and fulfillment of legal transactions
Payments made by the association to the third party
Correspondence content
Bank details

Purposes
Personal data is processed by EFR for the following purposes.
Correspondence with members or sponsors of the association, in particular through automatically generated and archived text documents relating to association matters
Promotion, organization, implementation, and participation in analog and digital web-based scientific events (conferences, symposia, seminars, lectures)
Promotion, organization, implementation, and participation in analog and digital web-based training events
Promotion, organization, operation, and access to scientific databases
Promotion, creation, production, and distribution of analog and digital scientific publications, including newsletters
Advertising, offering, awarding, and administering scholarships, grants, prizes, and awards
Processing and transmitting data within the framework of a business relationship with customers and suppliers, including automatically generated and archived text documents (such as correspondence) in these matters
Processing and transmission of data for wage, salary, and remuneration accounting and compliance with recording, information, and reporting obligations, insofar as this is necessary due to laws or standards of collective legal regulation or employment contract obligations, including automatically generated and archived text documents (such as correspondence) in these matters.

Use and storage of applicants' personal data if this data has been provided by the data subject or a recruiter.

Legal basis
Processing is carried out on the following legal basis:
Processing is primarily carried out on the basis of the legal relationships arising from membership of the association or for the implementation of pre-contractual measures at the request of the data subject when accepting members of the association within the meaning of Art. 6 (1) (b) GDPR. If and to the extent that the disclosure and transfer of personal data to third parties is not carried out in fulfillment of contractual obligations or for the implementation of pre-contractual measures, it is carried out on the basis of the consent of the data subjects within the meaning of Art. 6 (1) (a) GDPR. The processing of personal data for the purpose of recruiting association members and advertising association events and other services offered by the controller to third parties who are not association members is based on a legitimate interest of the controller pursuant to Art. 6 (1) (f) GDPR. In this case, the legitimate interest of the controller lies in increasing the number of members and promoting the purpose of the association by expanding the target group for the services offered by the controller in fulfillment of the association's purpose.

The reporting of personal data of association officials to the association authority is based on the legal obligations incumbent on the responsible parties in accordance with Art. 6 (1) (c) GDPR.

The processing of personal data of employees and job applicants is carried out for the purpose of fulfilling contracts or implementing pre-contractual measures within the meaning of Art. 6 (1) (b) GDPR. The transfer of personal data of employees to authorities and social security institutions is carried out in fulfillment of legal obligations in accordance with Art. 6 (1) (c) GDPR.

The processing of personal data of customers and suppliers who are not members of the association and who provide services to the controller or use the services of the controller is carried out in fulfillment of contracts or for the implementation of pre-contractual measures in the initiation of contractual relationships within the meaning of Art. 6 (1) (b) GDPR.

Categories of recipients
Only personal data will be disclosed if there is a legal obligation to do so, or if disclosure is necessary for the performance of a contract or for the implementation of pre-contractual measures, or if the data subject has given their consent, or if disclosure does not override the data subject's interest in protecting their personal data against the legitimate interest of the controller or a third party in disclosure. The disclosure must be appropriate and relevant to the purpose and limited to what is necessary for the purpose of the disclosure (“data minimization”).

The personal data processed by the controller may be disclosed to the following categories of recipients.

Other association members
Association officials
Cooperation partners of EFR, i.e., legal entities whose purpose or business object is related to the promotion of medical imaging
Participants in association events
Supporters of the association and sponsors of the association and association events
Exhibitors at association events
    Suppliers and customers of the association
    Banks and insurance companies
    Payment service providers and credit card companies
    Processors of the association, including
        Travel agencies

        Publishers

Office service providers
Event organizers
Delivery services
Email services
IT service providers
Translation agencies and interpreters
Marketing, advertising, and PR agencies
Tax advisors and chartered accountants
Lawyers and notaries
Courts, authorities, local authorities, social security institutions, and professional associations representing doctors and other healthcare professionals
Universities
Institutions and operators of hospitals

Storage period
EFR does not store personal data for longer than is necessary for the respective processing purpose. EFR stores personal data for the duration of contractual relationships, in particular for the duration of membership in an association. In addition, personal data may or must be stored further depending on legal bases and the respective purpose. Reasons that justify the storage of personal data beyond the duration of a contractual relationship are the tax law retention obligations (usually seven years from the end of the calendar year to which the data processing relates) or the keeping of records for the assertion or defense of legal claims, which can be up to 30 years in accordance with the statutory limitation rules in Austria.

If the storage of personal data is based solely on the consent of the data subject, this consent can be revoked at any time. Unless the storage is based on another legal justification, the deletion of the data can be requested.

Sources of personal data
The data processed by EFR originates primarily from the data subjects themselves and is collected by EFR when a legal relationship is established (membership of the association, participation in an event, creation of a user account for a database operated by EFR, use of other services offered by EFR).

However, personal data of data subjects may also be disclosed to EFR by third parties, for example, when a recommendation is made for a speaker or teacher at association events or as an author in association publications.

Other sources of personal data processed by EFR may be public, such as the World Wide Web in general and publications or websites of the data subjects themselves or of universities, hospitals, research institutions, or medical platforms and doctor search services in particular.

Third countries and international organizations
EFR does not transfer data to third countries.

Personal data may be transferred to international health organizations. The following also applies to this transfer:

Only personal data will be transferred if there is a legal obligation to do so, or if the transfer is necessary for the performance of a contract or for the implementation of pre-contractual measures, or if the data subject has given their consent, or if the transfer does not override the data subject's interest in the protection of their personal data against the legitimate interest of the controller or a third party in the transfer. The transfer must be appropriate and relevant for the purpose and must be limited to what is necessary for the purpose of the transfer (“data minimization”).