Veri koruma bildirimi

Data protection information for visitors of our test centre

We wish to provide you with the following information and thereby comply with the information obligations arising from the General Data Protection Regulation (GDPR).

Who is responsible for data processing?

Würtenberger & Tümpel Beteiligungs GmbH
Loretta Würtenberger
Schlossplatz 1-3
16727 Oberkrämer

What data is processed for which purposes?

Accessing the booking page

Appointment booking and, if applicable, billing is carried out via our ticketing service provider Ticket i/O, with whom we have concluded an order processing contract. In order to increase the security and delivery speed of the website (legitimate interest according to Art. 6 (1) lit. f DSGVO), Ticket i/O uses the Content Delivery Network (CDN) Amazon CloudFront from Amazon Web Services EMEA SARL.

AWS is the recipient of your personal data (IP address) and acts as a processor for Ticket i/O.

A CDN is a network of distributed servers capable of delivering optimised content to the website user. For this purpose, personal data may be processed in server log files by AWS.

The information is used to analyse and maintain the technical operation of the servers and the network as well as to combat abuse, and is stored by AWS for as long as is necessary for the purposes described. We encrypt the log files and delete them after 7 days.

Further information on data protection at AWS can be found here.

It cannot be completely ruled out that your IP address will be transmitted to the USA by AWS. AWS has implemented enhanced compliance measures for international data transfers. These measures are based on the EU Standard Contractual Clauses (SCCs). You can find more information here.

Booking an appointment for a COVID-19 test

Appointment bookings and billing are handled by our ticketing service provider ticket.io, with whom we have entered into a contract for order processing.

The purpose of processing is to conduct the respective test (COVID-19 “citizen rapid test”, PCR test, antigen or antibody test) and to issue the result certificate. In the event of a free “citizen test”, processing also occurs for the purpose of billing with the Association of Statutory Health Insurance Physicians.
Depending on the reason for testing and the purpose of the result certificate, the voluntary entry of a document number (personal ID or passport) and nationality may also be appropriate. The purpose of this processing is to issue a complete certificate with all mandatory information; in the case of some countries, entry and/or exit is not possible without this information on the certificate. Please check the travel conditions with the Foreign Office before booking an appointment.

The fulfilment of a contract pursuant to Art. 6 (1b) GDPR provides the legal basis for processing your data.
In the event of a positive test result, a duty to report the case to the local health department applies. The legal basis for transmitting your data in this case is a legal obligation pursuant to Art. 6 (1c) GDPR.

Your personal data is automatically deleted when it is no longer necessary for the purposes for which it was collected and no retention periods preclude deletion. Here are a number of relevant deletion or retention periods:

Retention or deletion period

Legal basis

Participant data and result data for free “citizen tests”

Deleted from the live database 60 days after testing and transferred to the archive; deleted from the archive database at the end of 2024

Billing of “citizen tests” with the Association of Statutory Health Insurance Physicians until the 15th of the following month or the retention period according to Section 7 (5) of the German Coronavirus Testing Regulation (Coronavirus-Testverordnung – TestV)

Participant data for privately paid COVID-19 tests

10 years

Section 147 of the Fiscal Code of Germany ( Abgabenordnung – AO), Section 257 of the German Commercial Code (Handelsgesetzbuch – HGB)

Result data for privately paid COVID-19 tests

Deleted from the live database 60 days after testing

Art. 6 (1c) GDPR in conjunction with Section 6 (1) No. 1 t) of the German Infection Protection Act ( Infektionsschutzgesetz – IfSG)

If you have any further questions regarding the storage of your data, please do not hesitate to contact us.

Online transmission of the test result for a COVID-19 test

In order to ensure that only the tested person is able to access the result, different authentication methods are used depending on the laboratory software in use:

The transmission of the test result for online access occurs on the basis of your consent provided when booking the appointment, in accordance with Art. 6 (1a) in conjunction with Art. 9 (1a) GDPR.

Your test result is available to access for 72 hours.

Online submission of the test result to the Corona Warn App (Optional).

If you* wish to use the Corona Warn App ("App") of the Robert Koch Institute ("RKI") to retrieve your test result of an antigen test, in order to retrieve your test result via the App, it is necessary that your test result is transmitted from the testing centre to the server system of the RKI.

In short, this is done by the testing centre storing your test result, linked to a machine-readable code, on a server of the RKI designated for this purpose. The code is your pseudonym; no further personal information is required to display the test result in the app. However, you can personalise the display of the test result by entering your name, first name and date of birth.

The code is formed from the scheduled time of the test and a random number. The code is formed by combining the aforementioned data in such a way that it is no longer possible to calculate back the data from the code.

You will receive a copy of the code in the form of a QR code that can be read into the app using the camera function of your smartphone. Alternatively, you can also receive the pseudonymous code as an internet link ("App Link"), which can be opened and processed by the app. This is the only way to link the test result with your app. With your consent, you can then retrieve your test result using the app. Your test result is automatically deleted from the server after 21 days. If you agree to the transmission of your pseudonymous test result by means of the code to the app infrastructure for the purpose of test retrieval, please confirm this to the staff of the testing centre. You can revoke your consent at any time with effect for the future. Please note, however, that due to the existing pseudonymisation, an assignment to your person cannot take place and therefore a deletion of your data will only take place automatically after the 21-day storage period has expired. You can also find details on this in the "Data protection information" of the Corona warning app of the RKI.

*If you are under 16 years of age, please discuss the use of the app with your parents or legal guardian.

Support

Support regarding the booking of appointments is handled via our ticketing service provider ticket.io, with whom we have entered into a contract for order processing.

When establishing contact (e.g. via the contact form or email), personal data is collected. The types of data collected when using the contact form can be seen in the corresponding contact form. This data is stored and used exclusively for the purpose of answering your enquiry or for establishing contact as well as the associated technical administration. The legal basis for processing the data is our legitimate interest in answering your enquiry in accordance with Art. 6 (1f) GDPR. Your data is deleted after your enquiry has been conclusively resolved. This is the case when the circumstances indicate that the relevant subject matter has been fully clarified and where no statutory retention periods preclude deletion. Ticket.io uses the technical service provider ZOHO DESK for customer support: https://desk.zoho.eu/portal/tiosupport/de/home .

Cookies

The data processed by cookies, necessary for the proper functioning of the website, is required to maintain our legitimate interest and the interests of third parties in accordance with Art. 6 (1f) GDPR.

Who are the data recipients?

Insofar as this has not been previously mentioned, as a rule personal data is not shared with third parties. However, we may avail ourselves of service providers – such as the processors already mentioned. As a result, it may be the case that a service provider obtains knowledge of personal data.

Where is data processed?

We only process data in the European Union.

What rights do you have?

You have the right to receive information about the personal data we process with respect to your personal identity. Moreover, you have the right to demand the rectification or erasure of the data or the restriction of processing, provided you are entitled to these rights by law.

Furthermore, you have a right to object to processing in accordance with statutory provisions. The same applies to the right to data portability.

In particular, you have a right to object in accordance with Art. 21 (1) and (2) GDPR to the processing of your data if this occurs on the basis of a balance of interests.

Lastly, you have the right to lodge a complaint with a supervisory authority responsible for data protection.

Version: 31/05/2021