Data Protection Policy

1. Introduction

CENTOGENE is a worldwide leader in the field of genetic diagnostics for rare hereditary diseases – with the largest test portfolio worldwide. CENTOGENE is dedicated to the highest quality genetic and biochemical diagnostic testing for the global medical community. CENTOGENE’s mission is to support medical professionals with in-depth medical expertise to diagnose early and safe the genetic reason for the patients’ burden. To support its mission of diagnosing and detecting, CENTOGENE uses Personal Data in the diagnosis of rare hereditary diseases, marketing of innovative products, partnering with health care professionals and researchers, and in relation to its Associates. CENTOGENE respects the data protection rights of any person whose Personal Data we are entrusted with, and CENTOGENE complies with all applicable laws and regulations regarding data protection and data privacy.This Data Protection Policy (hereinafter referred to as “Policy”) explains the relevant processing of Personal Data and the relevant data protection rights.

2. Definition

Associates Directors, officers, managers and employees of CENTOGENE.
Biochemical Data Any data from the biochemical analysis of the Sample.
CENTOGENE The CENTOGENE GmbH including all affiliates.
Consent Any freely given, specific, informed and withdrawable agreement of an Individual to the processing of his/her Personal Data.
Cookies Small text files that are stored in the Individual's local browser cache. Most browsers are configured to accept cookies automatically.
Data Processors External service providers we use to automatically process Personal Data.
De-facto anonymized or in de-facto anonymized form The data available at CENTOGENE is reduced to a level, even removing any pseudonyms, which makes re-identification of you as a person for any further recipient of the data practically impossible.
EEA The European Economic Area (which includes the EU).
EU The European Union.
GDPR or General Data Protection Regulation Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Genetic Data Any data from the genetic analysis of the Sample.
Health Data Any data collected relating to the health condition of a Patient.
Healthcare 
Service Provider
Any laboratory, hospital and/or other institute which is involved in the counselling and/or treatment of a Patient and in which one or more Physicians are being active.
HCP Physicians and Healthcare Service Providers.
Individual The natural person to whom the Personal Data relates, this can be a Patient, a Physician, a Healthcare Service Provider or any other person.
Individual's Request Any request from an Individual to exercise its rights described in Art. 15 – 21 GDPR.
Patient Any person on which any laboratory testing including genetic or biochemical testing is performed at CENTOGENE or which is interested in such testing for himself/herself and accordingly contacts CENTOGENE.
Physician The responsible physician counselling and/or treating one or several Patients.
Personal Data Any information relating to an identified or identifiable natural person.
Personal Health and Genetic Data Personal Data including Genetic Data and Health Data.
Pseudonymize or Pseudonymization Processing of data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures. In this case your name and other personal identifiers will be replaced by a particular code (Pseudonym) in the following format: CGXXXXXXXX. Pseudonymized data is still considered to be Personal Data.
Sample The specimen containing biological material of a Patient.
Third Country Country outside the EEA.
Third Party Any person, including a legal entity, that is neither CENTOGENE, an Associate, a Data Processor nor the Individual him- or herself.
Website www.centogene.com

Reference is made to further definitions set forth in Art. 4 GDPR.

3. Mandatory Information Under the GDPR

3.1 Responsible Controller and Contact Details

Data controller and responsible entity for the processing of Personal Data is

CENTOGENE GmbH
Am Strande 7
18055 Rostock
Germany

(“CENTOGENE”, “we” or “us”) represented by the Executive Board members as listed on our website.

You can reach our data protection officer under the same address with the addition “Attn: Data Protection Officer” or by email under dataprivacy@centogene.com

3.2 Processing of Personal Data

Depending on which of our services are being used and/or which Individual is involved, CENTOGENE processes and stores different Personal Data and Individuals have the data protection rights listed below.

3.2.1 Patients

a) Genetic and/or biochemical analysis

Based on the respective Consent and through the Patients’ Physician, we collect and process Personal (Biochemical, Health and Genetic) Data from Patients including up to the following details:

  • personal details (including first name, last name, date of birth and/or age),
  • address (insofar as provided),
  • family relations (insofar as provided),
  • gender,
  • ethnicity (insofar as provided),
  • nationality (insofar as provided),
  • information on Patient’s insurance (insofar as provided),
  • disease,
  • symptoms and other medical information,
  • Samples, and
  • results of the genetic and/or biochemical analysis

Such Personal (Biochemical, Health and Genetic) Data of a Patient will be processed to conduct the genetic and/or biochemical analysis, to inform the Patient, the Patient’s Physician and any other recipient as specified in the respective declaration of consent of the results of such analysis, for invoicing, and for further purposes as specified in the respective declaration of consent. Any Personal (Biochemical, Health and Genetic) Data of a Patient will be stored as long as agreed to in the declaration of consent. The legal basis for the processing is Art. 6 para. 1 (a) and Art. 9 para. 2 (a) GDPR.

b) Patient stories

Based on the respective Consent, we collect and process Personal (Health) Data from Patients including up to the following details:

  • name,
  • email address,
  • phone number,
  • symptoms and other medical information,
  • country (insofar as provided),
  • story of the Patient, and
  • photo

Such Personal (Health) Data of a Patient will be processed as part of our ongoing programs to increase rare disease awareness. Therefore, we will publish the story, photo, symptoms and other medical information, and country (insofar as provided) together with only the first name, on our Website, on our social media profiles (including but not limited to Facebook, LinkedIn, Twitter, YouTube, Xing), on DVDs, in videos, in print (including but not limited to brochures, flyers, posters, magazine contributions), and other publications on the internet. We will never publish the last name, email address or phone number. The legal basis for the processing is Art. 6 para. 1 (a) and Art. 9 para. 2 (a) GDPR.

3.2.2 Health Care Professionals

We collect and process Personal Data from HCPs including up to the following details:

  • personal details (including first name, last name, title),
  • phone and fax number (insofar as provided),
  • business address and department,
  • institution/practice name,
  • specialization and language,
  • license number/authorizing institution, and
  • email address.

Such Personal Data of a HCP will be processed to provide the services requested, in particular to inform the HCP of the Patient’s test results, as well as for invoicing (Art. 6 para. 1 (b) GDPR). Furthermore, to inform the HCP about our products and services and for further customer relation management measures based on our overriding legitimate interest in maintaining a good customer relationship (Art. 6 para. 1 (f) GDPR). Any Personal Data of a HCP will be stored at least until the Personal Data of the last of the HCP’s Patients has been deleted.

With the consent of an HCP, we may include HCP´s contact information in our outreach programs. We are processing such personal data to inform HCPs about studies, clinical trials, and (experimental) treatment options. With HCP´s consent, we may transfer personal contact data to our designated Partner to inform HCPs directly about studies, clinical trails, testing programs, (experimental) treatment options and to raise awareness about diagnosis and treatment of rare genetic diseases in general, including current developments in this field. This may include a data transfer to third countries which do not provide for equivalent data protection standards. CENTOGENE will take appropriate measures to safeguard the transfer. The legal basis for the data processing is consent (Art. 6(1)(a); Art. 49(a) GDPR).

3.2.3 Newsletter

Visitors of our Website are welcome to subscribe to our newsletters, in which we provide the latest news about our products, services and upcoming events. We only send newsletters and other marketing measures if the visitor has confirmed according to the so-called double-opt in (Art. 6 para. 1 (a) GDPR). In order to provide the newsletters, we process and store certain Personal Data (in particular email address, time of registration and IP address) at least until the visitor unsubscribes form the newsletter. We use technologies to measure interactions with our newsletters (e.g. opening of the email, links clicked) for general statistical evaluations and to understand what content our readers are interested in. Such Processing is based on Art. 6 para. 1 (f) GDPR because we have an overriding legitimate interest to optimise our customer communication. You can unsubscribe from our newsletters and prevent aforementioned analysis at any time; to do so please use the unsubscribe link contained in every newsletter.

3.2.4 Contact via email or via contact form

If we are addressed by email or via the contact form we collect and process Personal Data, including up to the following details:

  • personal details (including first name, last name, title),
  • date of birth,
  • email address,
  • phone number,
  • country,
  • professional title, and
  • other (optional) Personal Data (insofar as provided).

Such Personal Data will be processed to answer the respective request. The legal basis for the processing is Art. 6 para. 1 (b) GDPR.

3.2.5 Events and meetings

We host various events and meetings. Interested HCPs can register for such events and meetings on our Website. In this regard we collect and process Personal Data including up to the following details:

  • personal details (including first name, last name, title),
  • email address,
  • phone number,
  • country,
  • whether the Individual is a Physician, researcher or Patient,
  • IP address, and
  • other (optional) Personal Data (insofar as provided).

Such Personal Data will be processed for the registration and realization of the respective event or meeting. The legal basis for the processing is Art. 6 para. 1 (b) GDPR.

3.2.6 Job applicants

We collect and process Personal Data from job applicants. Further information can be found in our Data Protection Information for job applicants.

3.2.7 Technical data

In general, visitors are able to visit our Website without revealing their identity, except as their identity is necessary to provide a product or service. However, any web browser automatically sends certain technical data, each time our Website is visited. This technical data may include IP address, date and time of the request, access status/ HTTP status code, browser, operating system, language and browser version. Such technical data will be processed to enable the use of our Website, to ensure the permanent functionality and security of our systems, including fraud prevention and internal quality control. Some of this technical data is saved in internal logfiles and will be automatically evaluated solely for statistical, performance and security purposes. The technical data saved in the logfiles allows no direct conclusion to be drawn about the visitor; in particular we store the IP address only in truncated form. The legal basis for the processing is Art. 6 para. 1 (b) and Art. 6 para. 1 (f) GDPR based on our overriding legitimate interest mentioned above.

Any technical data collected on our Website will be stored only for a period of 4 weeks, unless otherwise stated in Annex 1, the technical data is necessary to manage the user account or storage is necessary to comply with applicable laws.

3.2.8 Cookies and comparable technologies

We use Cookies and comparable technologies (e.g. web beacons) on our Website.

You can manage your cookie settings here. Cookies already stored on your device, can be deleted at any time, using the browser functionality. Non acceptance of Cookies, however, can lead to functional restrictions.

A detailed overview of the Cookies used on our Website and their storage period can be found in Annex 1 hereto.

a) Required Cookies and comparable technologies (“Required Cookies”)

Required Cookies are used to enable basic website functionalities such as page navigation, to verify if a visitor has read the cookie notification, and to save visitor’s cookie settings. Therefore, we use our own Cookies. Required Cookies cannot be disabled, otherwise our Website would not function correctly. The legal basis for the processing is Art. 6 para. 1 (b) GDPR.

b) Statistical Cookies and comparable technologies (“Statistical Cookies”)

Statistical Cookies are used to analyse and improve our Website on the basis of general usage patterns. The legal basis for the processing is Art. 6 para. 1 (a) GDPR.

Our Website uses Statistical Cookies of the following external partners:

i. Google Analytics

Google Analytics is a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). The technical data generated about the use of the Website will be transmitted to and stored by Google on servers in the United States of America (“USA”). The IP-address will be truncated within the EU or EEA using “anonymizeIP”. Based on this technical data, Google evaluates Website usage, compiles reports on website activity and provides us further services relating to website activity and internet usage. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries. Further information can be found in Google’s Privacy Policy.

ii. Hotjar

Hotjar is a web analytics service provided by Hotjar Ltd., Elia Zammit Street 3, St Julians STJ 1000, Malta (“Hotjar”). Hotjar creates so-called heat maps. Heat maps display statistics on mouse movements and clicks on our Website in graphic form. Hotjar collects certain technical data, including the IP address (captured and stored only in pseudonymized form), screen size, type of device (unique device identifiers), browser information, geographic location (country only) and preferred language. Hotjar stores this technical data in a pseudonymized usage profile. Further information can be found in Hotjar’s Privacy Policy.

c) Marketing Cookies and comparable technologies (“Marketing Cookies”)

Marketing Cookies are used to provide relevant content on our products and services. The legal basis for the processing is Art. 6 para. 1 (a) GDPR.

Our Website uses Marketing Cookies of the following external partners:

i. Facebook Pixel / Facebook Custom Audience

Facebook Pixel provided by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland ("Facebook") is a tool to generate a Facebook customer list (“Custom Audience”) and enables us to display individualised advertising messages and analyse customer behaviour. When someone visits our Website and takes an action, the Facebook Pixel is triggered and reports this action. This way, we know when a customer took an action after seeing our Facebook ad. Furthermore, we are able to reach this customer again by using such Custom Audience. Any data is locally hashed before it is transmitted to Facebook. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries. We are joint controllers with Facebook for the processing of Personal Data as part of this process. You can find the joint controller agreement here. Further information on data processing can be found in Facebook’s Data Policy.

ii. Google AdWords conversion tracking and remarketing

AdWords conversion tracking and AdWords is a remarketing services of Google. AdWords conversion tracking captures specific customer actions (such as clicking on an advertisement, page call-ups, downloads) and analyses them. AdWords remarketing is used to display individualised advertising messages to website visitors. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries. Further information can be found in Google’s Privacy Policy.

iii. Google Double Click

DoubleClick by Google uses cookies and similar technologies to show advertisements which might be interesting for Website visitors. The use of DoubleClick enables Google and its partner websites to insert advertisements on the basis of previous visits to our or other websites on the internet. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries. Further information can be found in Google’s Privacy Policy.

iv. LinkedIn Insight Tag

LinkedIn Insight Tag provided by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA (“LinkedIn”), enables the collection of technical data regarding LinkedIn members’ visits to our Website, including the URL, referrer, IP address, device and browser characteristics (User Agent), and timestamp. The IP addresses are truncated or (when used for reaching members across devices) hashed, and LinkedIn members’ direct identifiers are removed within seven days in order to make the data pseudonymous. This remaining pseudonymized data is then deleted within 180 days. LinkedIn does not share the Personal Data with us. LinkedIn only provides reports (which do not identify the LinkedIn member) about the website audience and ad performance. LinkedIn also provides retargeting for website visitors (up to 90 days after the visit), enabling us to show personalized ads off our website. We use technical data that does not identify an Individual to improve ad relevance and reach members across devices.

LinkedIn members can control the use of their Personal Data for advertising purposes through their account settings. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries. Further information can be found in LinkedIn’s Privacy Policy.

v. YouTube

YouTube is a video platform provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google collects certain technical data, every time a user watches a video. This technical data enables Google to keep statistics of which videos from YouTube a user has watched. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries. Further information can be found in Google’s Privacy Policy.

vi. Pardot Marketing Automation System

Pardot Marketing Automation System (“Pardot MAS”) is a service provided by salesforce.com, inc., 415 Mission Street, San Francisco, CA 94105, USA (“Salesforce”). Pardot MAS gathers and evaluates technical data about website usage. Once our Website are visited, Pardot MAS records the click path and creates a pseudonymized usage profile. Based on this technical data, we can provide relevant content about our products and services. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries Further information can be found in Salesforce’s Privacy Policy.

3.2.9 CentoPortal®

CentoPortal® allows to browse our complete portfolio and to request a genetic, biochemical or biomarker analysis, keep track of the status of Samples, and to manage medical reports. Further information can be found in our Data Protection Policy for CentoPortal®.

3.2.10 CentoMD®

a) Sign up and login

In order to use CentoMD® users are required to sign up. Once signed up, users can login to CentoMD® using their login details. We collect and process Personal Data of CentoMD® users, including up to the following details:

  • personal details (including first name, surname, title),
  • company name and business address,
  • telephone and fax number, 
  • email address,
  • and login details.

Such Personal Data of CentoMD® users will be processed to provide the respective services requested. The legal basis for the processing is Art. 6 para. 1 (b) GDPR.

b) Curated data

CentoMD® solely contains curated data from Patients in de-facto anonymized form. “In de-facto anonymized form” means that apart from CENTOGENE, no Third Party is able to identify a person in the provided data set.

3.2.11 Social Media

CENTOGENE maintains several social media profiles (“Social Page(s)”).

a) Facebook and Instagram 

The Facebook and an Instagram Social Page are provided by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland ("Facebook"). CENTOGENE is responsible for the processing of Personal Data, if visitors interact directly with us via the respective Social Page. Facebook and CENTOGENE are jointly responsible for the processing of Personal Data regarding Page Insights (as defined below). Further information regarding the responsibilities can be found in the Page Insights Controller Addendum we have agreed upon with Facebook.

We collect and process Personal Data, if visitors directly interact with us via the Facebook Social Page such as private messages, comments, videos, pictures and likes. Such processing is based on Art. 6 para. 1 (b) GDPR. Facebook processes certain technical data of visitors every time a visitor interacts with the Social Page using cookies and similar technologies to track the usage behavior. Based on that technical data, Facebook generates so-called "Page Insights". Page insights only contain statistical and de-personalized information which cannot directly be assigned to an Individual. CENTOGENE has no access to this technical data and cannot influence the web tracking methods of Facebook. Facebook provides us with Page Insides, which may help us to understand how visitors engage with the Social Page and which content is from high interest for them. Such processing is based on Art. 6 para. 1 (f) GDPR because we have an overriding legitimate interest to provide the latest news about our products and services and to interact with our customers and visitors. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries. Further information about Page Insights can be found in Facebook’s Information about Page Insights Data and about Data Processing by Facebook in Facebook’s Data Policy.

b) Other Social Pages

The LinkedIn Social Page is provided by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA (“LinkedIn”), the Twitter Social Page is provided by Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA (“Twitter”) and the YouTube Social Page is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

We collect and process Personal Data, if visitors directly interact with us via the respective Social Page such as private messages, comments, videos, pictures and likes. Such processing is based on Art. 6 para. 1 (b) GDPR.

The respective social media provider processes certain technical data of visitors every time a visitor interacts with the respective Social Page using cookies and similar technologies to track the usage behavior, social media relationships and preferences. This may also take place if visitors are not logged in or registered on the respective social media platform. CENTOGENE does not have access to this technical data and cannot influence the web tracking methods of the respective social media provider. Should Personal Data be transmitted to the USA, we have concluded so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries. Further information can be found in LinkedIn’s Privacy Policy, Twitters’ Privacy Policy and Google’s Privacy Policy.

3.2.12 Recipients

Transfer of Personal Data to a Third Party only takes place with either explicit Consent, in order to fulfill a legal obligation or if such transfer is permitted by law. In this regard, please be informed as follows: In principle, we process Personal Data ourselves. However, we use Data Processors, e.g. IT-service providers that maintain our systems as well as data centers which host such systems. These third party services are then considered as  Data Processors under GDPR. Such Data Processors have been carefully selected, are contractually bound to comply with data protection laws, are subject to our instructions and to regular monitoring  and are only allowed to use Personal  Data to fulfil their contractual obligations. Furthermore, we always conclude GDPR compliant data processing agreements with such Data Processors.

3.2.13 International transfer

In principle, we process Personal Data solely within Germany, the EU or the EEA. In certain cases, however, we may be required to transfer Personal Data to a Third Country, where GDPR provisions do not apply; e.g. if Personal (Health and Genetic) Data of a Patient was provided to CENTOGENE via a HCP located in a Third Country or if a Data Processor is located in this Third Country.

However, such transfer shall only take place (i) with either explicit Consent, (ii) if the European Commission has decided that such Third Country already provides an adequate level of protection or (iii) if we establish appropriate safeguards with our contractual partner; e.g. by concluding so called EU Standard Contractual Clauses for data transfers between EU and non-EU countries with the Third Country recipient, which are compliant with GDPR requirements. In such case you have a right to request a copy of the EU Standard Contractual Clauses. To do so please contact us via the contact details provided under 3.1 Responsible controller and contact details.

3.2.14 Retention period

Unless otherwise stated in this Policy we store Personal Data only for as long as necessary to fulfil our contractual obligations. Thereafter we immediately delete Personal Data. However, we are required to store certain Personal Data longer for statutory reasons. In particular, with regard to patient files including Personal (Biochemical, Health and Genetic) Data - once a report for a genetic testing was provided to the Patient’s Physician – we are obliged to store the patient file for a mandatory period of 10 years. In addition we are obliged to store certain Personal Data for a mandatory period from 2 to 10 years under the German Commercial Code, the German Tax Code, the German Credit and Loans Act, the German Money Laundering Act, and the German Criminal Code. Furthermore we store certain Personal Data for the purpose of evidence in civil claims.

In case we received consent for the data processing, we store the data until consent is withdrawn and/or the data is necessary to fulfil the purposes of the respective data processing, unless we are required to store certain Personal Data longer for statutory reasons.

3.3 Data Protection Rights

You have the following data protection rights, which you can exercise at any time at the address mentioned at “3.1 Responsible data controller and contact details” with the addition “Attn: Data Protection Officer” or by email at dataprivacy(at)centogene(dot)com

3.3.1 Right of access

You have the right to know if and which Personal Data of yours is processed and stored. Furthermore, you can request a copy of your Personal Data free of charge.

3.3.2 Right to data portability

You have the right to receive your Personal Data, which you have provided to the Study Site and/or CENTOGENE, in a structured, commonly used and machine-readable format. Furthermore, you may have your Personal Data transferred to another legal entity. E.g. you can ask for an excerpt of the Personal Data you have provided to the Study Site and/ CENTOGENE in a PDF file.

3.3.3 Right to rectification

You have the right to obtain rectification of your inaccurate Personal Data, and the right to have your incomplete Personal Data completed. E.g. if your name is spelled wrong, you can ask to correct it.

3.3.4 Right to erasure

You have the right to have your Personal Data deleted. However, we may be required by applicable laws to store certain Personal Data after receiving a request to delete such data though. (further information can be found under 3.2.9 Retention period).

3.3.5 Right to restriction of processing

You have the right to obtain restriction of the processing of your Personal Data.

3.3.6 Right to object

You have the right to object to the processing of your Personal Data, if the processing is based on CENTOGENE’s legitimate interest or if your Personal Data are processed for direct marketing purposes.

3.3.7 Right to lodge a complaint

You have the right to file a complaint with the competent supervisory authority. In Rostock, the responsible supervisory authority is "Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg-Vorpommern“, Werderstraße 74a, 19055 Schwerin, https://www.datenschutz-mv.de. You can also contact the supervisory authority of your place of residence, place of work or at the place where the alleged infringement occurred.

3.3.8 Right to withdraw a consent

Insofar as the processing of your Personal Data is based on your Consent, you have the right to withdraw your Consent at any time with effect for the future.

3.3.9 Applicable national laws

Any further or modified rights under applicable national laws remain unaffected by the rights set forth herein.

3.3.10 Procedure

In general, CENTOGENE will respond to Individuals’ no later than one (1) month after receiving an Individual’s Request. In exceptional cases, CENTOGENE may extend this period by two (2) further months with prior notice. If an Individual’s Request does not contain sufficient detail, CENTOGENE reserves the right to request additional information. Before denying any Individual’s Request, Associates must seek the advice of CENOTGENE’s legal department. CENTOGENE will provide the Individual with an explanation for any denied Individual’s Request.

4. Reporting Potential Misconduct

Any Associate, who learns of a potential violation of applicable laws and/or this Policy, is required to report his or her suspicion promptly to his or her supervisor, legal department or management. Associates who report potential misconduct, provide information or otherwise assist in any inquiry or investigation of potential misconduct will be protected against retaliation.

5. Breach of This Policy

Breaches of this Policy may lead to disciplinary and other actions up to and including termination of employment or contract (for Third Parties).

6. Responsibilities

All Associates must adhere to the principles and rules set out in this Policy. It is the responsibility of every CENTOGENE manager, director or supervisor to adhere to this Policy within his or her area of functional responsibility, to lead by example, and to provide guidance to those Associates reporting to him or her.

7. Security Measures

CENTOGENE has taken extensive measures to ensure the security of Personal Data, including the following:

  • Organizational measures: Preparation and implementation of an internal control plan, regular employee training and education;
  • Technical measures: Management of access rights to its systems, installation of an access control system, encryption of certain Personal Data, installation of security programs;
  • Physical measures: Restriction of access to all internal data centres (e. g. computer rooms, data storage rooms), and  
  • Contractual measures: Third Parties which host our systems are contractually bound, subject to our instructions and to regular monitoring.

8. Changes To This Policy

CENTOGENE is dedicated to the highest standards and to continuously improve its services. Therefore, we may change our services from time to time. Such changes may affect the Processing of Personal Data. We reserve the right to amend this Policy at any time. The current version is available at www.centogene.com. We advise you to inform yourself in regular intervals about the current status of this Policy.

This version of this Policy is effective from January 2021. Rostock, January 2021

Annex 1 – Overview of Cookies

www.centogene.com
Cookie Type Provided by Name Purpose Lifespan
Required Centogene PHPSESSID This is a general-purpose identifier used to maintain user session variables. Duration of the session:
the cookie is deleted when the browser is closed.
Required Centogene fe_typo_user Preserves user states across page requests. Duration of the session:
the cookie is deleted when the browser is closed.
Required Centogene cookieNotificationVisited To check, if visitor read cookie notification. 1 year
Required Centogene PermissionCookie To check, if visitor allowed to use cookies. 1 year
Required Centogene PermissionCookieVersion To check if the user has seen the latest version of the cookie notification. 1 year
Statistical Google _ga Google Analytics Cookie tracks site visits. 10 min
Statistical Google _gat Google Tag Manager Cookie. 10 min
Statistical Google _gid Google Analytics Cookie for storing randomly generated ids about the user. Duration of the session:
the cookie is deleted when the browser is closed.
Statistical Hotjar _hjIncludedInSample Hotjar cookie: Determines if the user's navigation should be registered in a certain statistical place holder. This is a general-purpose identifier used to maintain user session variables. Duration of the session: 
the cookie is deleted when the browser is closed.
Statistical Hotjar _hjid Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes. 1 year
Marketing Facebook fr Facebook uses the ‘fr’ cookie to deliver, measure and improve the relevancy of ads. 3 months
Marketing Facebook tr Used by Facebook to show various kinds of advertising, for example real-time offers from third party advertisers. Session
Marketing Google ads/ga-audiences Used by Google AdWord s to re-engage visitors that are likely to convert to customers based on the visitor's online behavior across websites. Session
Marketing Google NID Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads. 6 months
Marketing Google IDE Used by Google DoubleClick to register and report the website user´s actions after viewing or clicking one of the advertiser´s ads with the purpose of measuring the efficiacy of an ad and to present targeted ads to the user. 1 year
Marketing LinkedIn UserMatchHistory LinkedIn Ads ID syncing 30 days
Marketing LinkedIn li_sugr Browser Identifier 3 months
Marketing LinkedIn li-oatml Member indirect indentifier for conversion tracking, retargeting, analytics 1 month
Marketing Various, first party domain li_fat_id Member indirect indentifier for conversion tracking, retargeting, analytics 1 month
Marketing .adsymptotic.com U Browser Identifier 3 months
Marketing Youtube GPS Registers a unique ID on mobile devices to enable tracking based on geographical GPS location. 1 day
Marketing Youtube YSC Registers a unique ID to keep statistics of which videos from YouTube a user has watched. Duration of the session: 
the cookie is deleted when the browser is closed.
Marketing Salesforce pardot Used to identify the visitor across visits and devices. Session
Marketing Salesforce visitor_id486591 Pardot cookie: tracks site visits. 1 year
Marketing Salesforce visitor_id486591-hash Pardot cookie: tracks site visits. 1 year



www.centomd.com
Cookie Type Provided by Name Purpose Lifespan
Required Centogene PHPSESSID This is a general-purpose identifier used to maintain user session variables. Duration of the session:
the cookie is deleted when the browser is closed.
Statistical Google _ga Google Analytics Cookie tracks site visits. 10 min
Statistical Google _gat Google Tag Manager Cookie. 10 min
Statistical Google _gid Google Analytics Cookie for storing randomly generated ids about the user. Duration of the session:  
the cookie is deleted when the browser is closed.