The protection of your privacy and the confidentiality of your personal data are very important to us. In the following, we would like to explain to you which of your personal data we process and which rights you have with regard to your data.
1. Who are we and how can you reach our data protection officer?
First of all about us – the responsible party within the meaning of the General Data Protection Regulation (hereinafter: “DSGVO”) is the
Pohnsdorfer Straße 3
23611 Bad Schwartau
Represented by the Managing Director Timo Scharpenberg
You can contact our Data Protection Officer at:
Personally/Confidential to the Data Protection Officer
Pohnsdorfer Straße 3
23611 Bad Schwartau
2. General information about data processing and why we process your data
The term personal data is defined in the GDPR. It defines personal data as any information relating to an identified or identifiable natural person – for example, your name, address or telephone number, but also online identifiers such as web IDs or your rapid antigen test result (hereinafter “test” or “Corona rapid test”) on your personal certificate. The latter even falls under the category of special personal data, because it is a date about your health.
If you make use of our products and services, we process your personal data on the basis of various legal foundations:
We process your personal data for the fulfilment of contractual obligations (Art. 6 para. 1 p. 1 lit. b) DSGVO). This includes in particular
– the processing of orders,
– to manage your admin area (consisting of your email address, certification code and Magic Link) or even
– for contacting you as far as it concerns relevant information about your order with us or when you direct enquiries to us.
In addition, we process your data to safeguard our legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO), i.e.
– for the purpose of compiling statistics to improve our products and services,
– for the purposes of preventing, investigating and reporting criminal offences, e.g. fraud, credit card misuse or identity deception,
– for the assertion of legal claims or
We process your data on the basis of your consent (Art. 6 para. 1 p.1 lit. a) DSGVO) for certain purposes, for example
– for the purpose of processing your health data (Corona quick test result),
– for the purpose of compiling statistics to improve products and services.
– for personalised use of the website and for personalised offers as well as optimisation of the web offer.
– for analytical purposes in order to optimise our offer for you.
You can revoke the consent you have given us at any time without having to give us the reasons. The revocation of your consent is only effective for the future and does not affect the lawfulness of the data processed until the revocation.
II. What data do we process for your online certificate?
1. ordering process
All officially tested and validated self-tests that you can purchase, for example, from pharmacies or medical retailers are suitable for our concept. If you wish, you have the option of ordering a corresponding Corona rapid test via our web shop. The following data will be processed during the ordering process via our online shop and the order processing:
– Salutation, first name, last name, title if applicable
· Payment data
· Phone (fix or mobile)
When paying via PayPal, credit card via PayPal, direct debit via PayPal or – if offered – “purchase on account” or “payment by instalments” via PayPal, we pass on your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”) as part of the payment processing. In addition to the data already processed as part of the ordering process, PayPal processes bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, sum and recipient-related details. These details are required to carry out the respective transaction. The data you enter in individual cases is only processed by the payment service providers. Account or credit card-related information is therefore not disclosed to us, but only information with confirmation or negative information of the payment. Under certain circumstances, your data may be transmitted by the payment service providers to credit agencies. This transmission takes place for the purpose of checking your identity and creditworthiness.
Accordingly, the General Terms and Conditions and the data protection information of PayPal, which can be called up within the website or transaction application, apply to the payment transactions. We also refer to these with regard to further information and the assertion of revocation, information and other data subject rights.
Die Datenschutzhinweise von PayPal findest du hier
In addition, our logistics service providers also receive your data for the purpose of delivering your ordered items.
2. authentication process
Before you take the Corona Quick Test, it is necessary for you to go through an authentication process. Our exclusive partner WebID Solutions GmbH, Friedrichstraße 88, 10117 Berlin (“WebID Solutions”) will identify you in a legally secure manner. This works quickly and easily with any internet-enabled device including a camera. All you have to do is complete a short AI-supported identification process.
The provision of your data is basically voluntary, but without the data marked as mandatory or provided as required in the context of the certification, the execution of the test cannot be certified.
WebID Solutions processes the following personal data about you:
– Your ID document (first name, last name, street/ house number, postcode, city, country, date of birth, place of birth, name at birth, nationality, type of ID card, ID card number, date of issue of the ID card, expiry date of the ID card, issuing authority of the ID card, MRZ (“machine readable zone”, this is the visible part of your ID or travel document that has been specially designed to be read by optical text recognition. This reading zone is usually located at the bottom of an ID document), a screenshot of the ID and a picture of your face.
3. verification of the Corona quick test you performed
After you have authenticated yourself via WebID, the test is conducted and recorded according to instructions. Your recording is then viewed and assessed by our trained staff and the test result is officially certified. In the course of the test procedure and in order to be able to issue you with the certificate afterwards, we still process the following data from you:
· Mobile number
· Phone number
· Photo (Screenshot) of the User
· Audio-Recording of the calls
– Video recording of the call
– End device used
– Positive or negative test result for Corona disease that you have reported.
In order for WebID Solutions to establish your identity and authenticate the testing process you have carried out (as the basis for the confirmation certificate), it is necessary for you to expressly consent to the processing of your health data (positive or negative Corona test result).
We would like to point out that your consent is voluntary and that you can revoke it at any time with effect for the future via the correspondingly marked button in the app or on the WebID Solutions website or via firstname.lastname@example.org. This does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
At the same time, we would like to point out that in the event of a revocation of consent for the processing of special categories of personal data (here: your positive or negative Corona test result), it will no longer be possible to establish your identity and/or authenticate the test procedure; you will also be informed of this before the order process is completed.
III. What happens when you visit our website?
1. automatic data processing
When you visit a website, certain data is automatically processed, including on our website. When you call up our website, the browser used on your end device automatically sends information to the server of our website (so-called server log files). This information is temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until automatic deletion:
– IP address of the requesting computer (in anonymised form),
– Date and time of access,
– Name and URL of the retrieved file,
– Website from which the access is made (referrer URL),
– the browser used and, if applicable, the operating system of your computer, smartphone, etc. as well as the name of your access provider.
These data are processed by us for the following purposes:
– Ensuring a smooth connection of the website,
– Ensuring a comfortable use of our website,
– Evaluation of system security and stability as well as
– for further administrative purposes.
In no case do we use the collected data for the purpose of drawing conclusions about you.
Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message always appears before a new cookie is created. The complete deactivation of cookies may mean that you cannot use all the functions of our website.
Cookies can be divided into different categories:
First of all, we distinguish between “First-party cookies“, which are created and set directly by our site, and “Third-party cookies“, which are set by partner websites.
Furthermore, cookies can be divided into further types:
These cookies are necessary to ensure basic website functionality. For example, these cookies are required when you add a product to your shopping cart, then continue browsing other pages and later click to pay. These cookies do not delete the shopping cart even if you close your browser window.
Statistics and analysis cookies
These cookies collect information about user behaviour and whether the website visitor receives any error messages. In addition, these cookies are also used to measure the loading time and the behaviour of the website with different browsers. In addition, they ensure better user-friendliness. For example, locations entered, font sizes or form data are saved.
How can I delete cookies?
In principle, you decide yourself how and whether you want to allow cookies to be set. Regardless of which service or website the cookies come from, you always have the option of deleting, deactivating or only partially allowing cookies. For example, you can block cookies from third-party providers, but allow all other cookies.
If you want to check which cookies have been stored in your browser, if you want to change your cookie settings or delete cookies, you can find this in your browser settings:
Cookie Consent Tool (Cookiebot)
The storage of a cookie is technically required for the use of Cookiebot.
Settings via Cookiebot
The first time you visit our website, you will see Cookiebot as a pop-up window. Here you can switch the cookies on or off by clicking on the corresponding box. Please note that the required cookies (see our description above) are already stored when you access the website and the relevant box is set by default.
Your cookie settings
If you would like to check or change your cookie settings, click on Cookie settings and then you can make the appropriate settings in Cookiebot.
If you have consented to cookies being set when you visit our website, you can withdraw your consent by calling up Cookiebot (see Cookie settings above) and deselecting the relevant cookie category.
We use the open source software tool Matomo on our website to analyse the surfing behaviour of our users. The software sets a cookie on your terminal device and the following data is stored:
– Two bytes of the IP address of the calling system of the user
– the accessed website
– the website from which the user accessed the website (referrer)
– the subpages that are called up from the called-up website
– the length of stay on the website
– the frequency with which the website is accessed
– Campaign evaluation via external links
The software runs exclusively on the servers of our website. Personal data of the users is only stored there. The data is not passed on to third parties.
Here is a summary overview of the cookies we use and how long they are stored:
– _pk_id – 13 months (used to store some details about the user, such as the unique visitor ID).
– _pk_ref – 6 months (used to store attribution information, the referrer originally used to visit the website).
– _pk_ses, pk_cvar, pk_hsr – 30 minutes (short-lived cookies used to temporarily store data about the visit).
– _pk_testcookie is created and should then be deleted directly (used to check whether the visitor’s browser supports cookies).
– mtm_consent (or mtm_consent_removed) are created with an expiry date of 30 years to remember that the user has given (or removed) consent.
We have integrated YouTube videos into our online offer, which are stored on https://www.YouTube.com and can be played directly from our website. These are integrated in the so-called “extended data protection mode”, i.e. no data about you as a user is transmitted to YouTube if you do not play the video. Only when you actively click on a video and allow it to play does a transfer of your personal data take place.
By visiting the website and playing one of our embedded videos, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, YouTube receives the following data from you: your IP address, date and time of the request, time zone, content of the request (specific Internet page), access status/HTTP status code, the amount of data transferred in bytes, the website from which the request comes (link), the browser used, the operating system and its interface, the language and version of the browser software.
This occurs regardless of whether YouTube provides a user account via which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not want your data to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the design of its website in line with requirements. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and you must contact YouTube to exercise this right.
3. contacting us
When you contact us, we only collect personal data (e.g. name, e-mail address, telephone number) if you provide it to us yourself. Your personal data will only be used for the contact or for the purpose for which you have provided us with this data, i.e. as a rule for processing your specific enquiry.
IV. What else you should know
Who do we share your information with?
We only pass on data to third parties if we have a legal basis for doing so. Your personal data will not be passed on commercially to other companies.
In addition to the cases already listed, we use external service providers from the following areas:
– IT service providers (e.g. maintenance service providers, hosting service providers)
– Service provider for file and data destruction
– Printing services
– Advice and consulting, auditor
– Service provider for marketing or sales
– Logistics service provider
In addition, we may be obliged to transmit your personal data to further recipients, such as authorities for the fulfilment of legal notification obligations. These are usually
– Financial authorities and/or
– Health offices
Will your data be processed outside of the EU/EEA?
Countries outside the European Union (and the European Economic Area “EEA”) handle the protection of personal data differently than countries within the European Union. Data processing outside the EU is only permitted if the level of protection of your data guaranteed by the GDPR is also complied with outside the EU.
We have therefore taken special measures to ensure that your personal data is processed in third countries as securely as within the European Union. If we process data in a third country – i.e. outside the EU or EEA – or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this is only done in accordance with the legal requirements. We therefore only transfer your data to third countries if we either have your express consent to do so, or if this is contractually or legally required.
With service providers in third countries, we conclude the standard data protection clauses provided by the Commission of the European Union. These clauses provide appropriate safeguards for the protection of your data with service providers in the third country. Although the European Court of Justice (ECJ) declared the EU-U.S. Privacy Shield agreement invalid in its ruling of 16 July 2020 (Case C-311/18; so-called Schrems II). At the same time, however, the ECJ also ruled that the Commission Decision on standard contractual clauses (2010/87/EU) remains valid in principle, so that standard contractual clauses for a transfer of personal data to third countries can in principle continue to be used.
How long do we keep your data?
We will delete or anonymise your personal data as soon as it is no longer necessary for the purposes for which we collected or used it.
– We will delete the video we record of you as part of the Corona quick test after 48 hours.
– If you have consented to data processing by us, we will store your data until you revoke your consent.
– If you have consented to data processing by us, we will store your data until you revoke your consent.
– In addition, we may retain your data until the expiry of the statutory limitation periods (i.e. usually 3 years), insofar as this is necessary for the assertion, exercise or defence of legal claims. After that, the corresponding data will be deleted.
How do we protect your data?
Of course, we take appropriate specific technical and organisational measures to protect your privacy and to treat your personal data confidentially. In order to prevent the manipulation, loss or misuse of your data stored with us, we take extensive security precautions that are regularly reviewed and adapted to technological progress. These measures ensure the confidentiality, integrity, availability and resilience of your data. This also includes, among other things, that we regularly sensitise those involved in processing operations with regard to data protection requirements.
As part of the authentication process, the video recorded of you by WebID Solutions is stored in the data centre of Amazon Web Services (“AWS”), Amazon Web Services, Inc, P.O.. Box 81226, Seattle, WA 98108-1226, USA. The data is stored in a German data centre (Frankfurt/Main), which is certified according to ISO 27001, 27017 and 2018 as well as PCI DSS Level 1 and accordingly meets the highest security standards. There is also transport encryption with TLS 1.2.
Since we primarily contact you via our website, we also place a special focus on the security of your data. We use the widespread SSL (Secure Socket Layer) procedure in connection with the highest level of encryption supported by your browser when you visit our website. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted by the closed display of the key or lock symbol in the lower status bar of your browser.
However, we would like to point out that due to the structure of the Internet, it is possible that the aforementioned security measures are not observed by other persons or institutions that are not within our area of responsibility. In particular, data disclosed unencrypted – e.g. if this is done by e-mail – can be read by third parties. We have no technical influence on this.
What rights do you have with regard to your data?
As a data subject, you have the following rights in connection with the processing of your personal data:
– Information about your personal data (Art. 15 DSGVO);
– Correction of your incorrect personal data (Art. 16 DSGVO);
– Deletion of your personal data (Art. 17 DSGVO);
– Restriction of the processing of your personal data (Art. 18 DSGVO);
– Object to the processing of your personal data (Art. 21 DSGVO);
– revocation of your consent at any time with the consequence that we may no longer continue the data processing based on this consent in the future (Art. 7 para. 3 DSGVO);
– Right to data portability with regard to your personal data (Art. 20 GDPR).
If you wish to make use of the aforementioned rights, you can contact us using the contact details provided above.
In addition, you also have the right to complain to the competent data protection supervisory authority if you consider that the processing of your personal data is not lawful (Art. 77 DSGVO).
Due to the further development of our website and offers, it may become necessary to change this data protection declaration. You can access the current data protection declaration at any time on the website at https://covidtestonline.de/datenschutz.