2. Mandatory information to be provided pursuant to the EU General Data Protection Regulation (GDPR)
2.1 Controller responsible for the processing and contact details of the Data Protection Officer
The data controller and body responsible for the processing of personal data is:
Ecolog Deutschland GmbH
In der Steele 14
The data protection officer is:
IBS data protection services and consulting GmbH
You can contact our Data Protection Officer using the same address with the addition “FAO: Data Protection Officer (Datenschutzbeauftragter)” or by email at: firstname.lastname@example.org.
2.2 Processing of personal data, purposes and legal bases
Ecolog processes and stores various types of personal data.
2.2.1 Provision of the website and App
If you use our website and App, data concerning your usage (e.g. the date and time of your visit, the pages viewed and files accessed, the type and version of the browser you are using, the type of end device you are using and the operating system running on it, as well as your IP address) will be stored temporarily in a log file located on our server. Processing of the server log data is necessary for technical reasons in order to provide the website and services, and subsequently in order to ensure system security.
Our legitimate interest in providing the website with our services constitutes the legal basis for the processing (Art. 6 (1)(f) of the GDPR). As the processing is an essential precondition for use of our website, there is no right of objection.
The data will be erased after 12 days at the latest.
Thereafter, the server log data may be evaluated in anonymised form for statistical purposes and to improve our internet presence. There is no link between the server log data and your personal data, nor will the server log data be combined in any way with other sources of personal data.
2.2.2 Creation of a customer account
In order to book a test appointment or a video-monitored online self-test you will need to have a customer account with us. If you register for a personal customer account, you will need to specify your name, gender, contact details (e.g. address, telephone number, email address), date of birth and set a personal password. Adding nationality and ID number are mandatory only for flights to Japan. We will process this registration data in order to set up and manage your customer account and for implementing future orders. To complete the registration process, you will be sent a link via SMS to the telephone number you have provided, which you will then need to click on. As a registered customer, you will have access (by means of your email address and the password you have chosen yourself) to your personal customer account, from where you will be able to view the progress of your orders, and also save and amend your personal settings (e.g. password and language settings).
Our legitimate interest, according to Art. 6 (1)(f) of the GDPR, in providing you with the “customer account” service described above, and the performance of a user contract with you (Art. 6 (1)(b) of the GDPR) constitutes the legal basis for the processing.
These data will be erased if the registration on our website is cancelled or the customer account is deleted.
You may object to the processing of your data on basis of Art. 6 (1)(f) of the GDPR (in accordance with Art. 21 (1) of the GDPR). In principle, we can then demonstrate compelling grounds for the processing in order to enable us to continue with it. In connection with the use of a customer account, however, we will not do this and the following shall apply: The customer account will then have to be deleted and it will no longer be available for you.
Please note that if a booking is made via your customer account, we will collect additional (booking) data and we may potentially store this for longer periods (in this regard, see 2.2.3, 2.2.4and 2.2.5). However, the storage periods indicated in the sections 2.2.3 and 2.2.4 do not apply to your registration data.
2.2.3 Booking a test
After you have registered a customer account, you will be able to book a SARS-CoV-2 PCR and/or rapid antigen test (hereinafter “Test”), which you can then receive in our test centres or with one of our partners (pharmacies). In addition, you have the option of ordering an online certificate (see section 2.2.5). In order to handle the booking we will process the data from your customer account, the data relating to the service you have booked and the payment information required for your selected payment method (collectively referred to as “Participant Data”).
The formation and performance of the purchase contract for the ordered items – Art. 6 (1)(b) of the GDPR – constitutes the legal basis for the processing.
The storage periods for these data is indicated in section 2.2.4.
2.2.4 Administration of the tests on site at our test centers and notification of the test results
a) Processing of personal data and legal basis of on-site tests at our test centers
Subject to your consent, concerning the tests which take place at the premises of Ecocare test centre and/or at the pharmacy sites, we will collect and process personal data of registered customers in order to (i) verify your identity at the Test appointment, (ii) carry out and process the subsequent testing of the samples, issue the Test certificates and match the Test results with the correct persons, (iii) provide the customers with an electronic notification of the Test results, and (iv) issue invoices for our services. Please note that the Test results, which are classified as health data within the meaning of Art. 9 (1) of the GDPR, comprise:
- Registration data (see above)
- Your swab
- Results of the biochemical analysis of the swab (“Test Result”)
- Your payment data (e.g. credit card number)
The legal basis for the processing consists of the formation and performance of the contract with the customer for the testing services (Art. 6 (1)(b) of the GDPR) and, for the purposes of processing the health data and notification by electronic means, your consent (Art. 6 (1)(a) and Art. 9 (2)(a) of the GDPR).
In the case of the free tests for citizens (Bürgertests) in Germany, your Personal Data and Test Results will be stored until 31 December 2024 in accordance with section 7 (5) of the Coronavirus Testing Regulation (Coronavirus-Testverordnung) in the current version.
In the case of a private Test in Germany that you have paid for, your booking data will be stored for ten years in accordance with section 147 of the Fiscal Code of Germany (Abgabenordnung, AO) and section 257 of the German Commercial Code (Handelsgesetzbuch, HGB). In this case, we will retain your Test Result for 30 days following the Test.
The swab will not be stored or retained in any way.
We will store personal data collected in Belgium or Luxembourg only for as long as this is necessary in order for us to comply with our contractual obligations. The swab will not be stored or retained in any way.
2.2.5 Performance of the self-test as a video-monitored online self-test and issuance of the test certificate
In addition to performing the test on site (see section 2.2.4), it is possible to order an online medical certificate on behalf of a video-monitored self-test. The evaluation of the result is carried out by means of authentication of the person and video monitoring of the performance of the self-test by a medical staff. In this context, therefore, we must first verify your identity electronically. Subsequently, we review the guided execution of the test recorded by you and finally certify the respective test result, which you can also upload on the Corona-Warn app.
In addition to processing your registration/participant data (see sections 2.2.2 and 2.2.3 in this regard), we process your personal data as follows:
a) Processing of personal data, legal basis and storage period for the purpose of authentication
In order to verify your identity electronically, it is necessary for you to go through an authentication process. For this purpose, no personal data will be disclosed to third parties. To complete the authentication process, you need an Internet-enabled terminal device with a camera. For the purpose of successfully completing the authentication process, you will be instructed to take photos of your ID document as well as a photo of your face via your end device (e.g. smartphone or tablet) and send them to us for verification. In this context, we require the following personal data from you:
- A photo of your identification document
- The following information derived from the photo of your identification document: first name, last name, street/ house number, zip code, city, country Date of birth, place of birth, nationality, type of ID card, ID card number, date of issue of ID card, expiration date of ID card, issuing authority of ID card.
- Photo of your face.
The legal basis for the processing of these data for the purpose of online authentication is the fulfillment of the contract on the implementation of the video-monitored online self-test (Art. 6 para. 1 (b) DSGVO) and the issuance of a COVID-19 medical test certificate. Without the provision of this data by you, we cannot verify your identity and therefore cannot certify the result of the respective test.
The data that we need to identify you will be deleted immediately after your identity has been verified, unless you have expressly consented to storage beyond this point. For such longer storage of data by us, the legal basis is your consent (Art. 6 para. 1 (a) DSGVO).
b) Processing of personal data, legal basis and storage period regarding the guided test execution and the assessment/evaluation of the test result
After your identity has been successfully verified, you will be instructed to perform the test and record the performance using your video-capable terminal device. After the completion of the recording, this will be transmitted to us. The recording will then be reviewed and evaluated by our trained personnel. In case of proper performance of the test, we will issue the test certificate.
To enable the guided test execution, the transmission of the recording to us and its review and evaluation, we process the following personal data:
- Your e-mail address
- Photo of you (screenshot)
- Video recording of the test
- Audio track recording of the test
- Test result communicated by you regarding an infection with the Coronavirus
The legal basis for the processing of this data is the fulfillment of the contract for the issuance of a medical test certificate based on the video-monitored antigen self-test for lay use (Art. 6 para. 1 (b) DSGVO) and for the processing of health data your consent (Art. 6 para. 1 (a) and Art. 9 para. 2 (a) DSGVO). Without the provision of this data by you, we cannot certify the result of the test. Insofar as the processing is based on consent, you can revoke this at any time. In case of revocation of your consent, the further execution of an uncompleted video-monitored online self-test as well as the certification of the result is no longer possible.
The data we need to conduct the video-monitored online self-test and its certification will be deleted immediately after submitting the test result certificate to you. However, we retain your order data for ten years on the basis of § 147 AO, § 257 HGB. We keep your test result for 30 days after testing.
2.2.6 Notification of the Test Results in the Corona Warn App for Tests administered at Ecocare Test Centres in Germany
We can also transmit your Test Results to the operator of the Corona Warn App – the Robert Koch Institute (RKI) – so that you can have your Test Result displayed in the Corona Warn App. If you consent to this, we will generate a unique identification code for your Test. In the case of App users, the identification code will be transmitted directly to the end device by means of App-to-App communication. For users of the website, we will provide you with a QR code that contains the identification code, which you can scan using the camera on your end device or retrieve directly from the Corona Warn App.
Your consent establishes the legal basis for processing the health data and transmitting it to the RKI (Art. 6 (1)(a) and Art. 9 (2)(a) of the GDPR). You can withdraw your consent at any time.
2.2.7 Using the App to check in with partners
To enable contact tracing and to ensure traceable infection chains in the event that, at the time of your visit, a person should be ill, suspected of being ill, suspected of being infected, or be a carrier within the meaning of the Infection Protection Act (Infektionsschutzgesetz), we will, as a processor for our partners, collect the following personal data from you: surname, first name, address, date and time period of your attendance and, where applicable, your telephone number.
To check in, you can use the function in the App to scan the QR code of our partner via the App and camera function. When you do this, a photograph will not be generated and processed by us; instead a link will merely be generated by which you can carry out the check-in process.
The legal bases for this is Art. 6 (1)(b) of the GDPR, insofar as you use the function in our App to check in with our partner, and Art. 6 (1)(c) and Art. 6 (1)(d) of the GDPR for our partners.
In accordance with the statutory requirements, the check-in data will be erased after one month following their collection.
2.2.8 IATA Travelpass
The legal basis for the processing of health data and the link with the IATA App is your consent (Art. 6 para. 1 (a) and Art. 9 para. 2 (a) DSGVO). You can revoke your consent at any time.
Subject to your consent, Ecolog Deutschland GmbH may use your email address to send you newsletter by email, in order to inform you about our Ecocare services in the area of COVID-19 testing, vaccination against COVID-19 and other services and/or products of Ecolog group companies. In each newsletter, you will have the possibility to deregister and withdraw your consent. You can also withdraw your consent to receipt of the newsletter at any time by sending an email to: email@example.com.
The legal basis for the processing consists of your consent (Art. 6 (1)(a) of the GDPR) and our legitimate interests (Art. 6 (1)(f) of the GDPR), in conjunction with section 7 (3) of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG), where applicable.
2.2.10 Your enquiries
If you direct enquiries to us by email or using a service hotline number, we will process the information you have provided in your enquiry in order to process it.
Our legitimate interest, according to Art. 6 (1)(f) of the GDPR, in providing you with the “enquiry” service described above constitutes the legal basis for the processing. If your enquiry relates to the formation or execution of a contract, there is an additional legal basis for the processing under Art. 6 (1)(b) of the GDPR.
In accordance with Art. 6 (1)(f) of the GDPR, you may object to the processing of your data. If we can demonstrate compelling grounds for the processing, we will then be able to continue with it. In this particular case, this may be necessary in order to provide proof of past communications and enquiries with you. If no such compelling grounds are present, we will cease the communications with you and erase any data already collected.
These data will be erased when our communication with you terminates, i.e. if the matter concerned has been finally resolved and there are no other legitimate interests or statutory obligations that justify or require storage of the data.
2.2.11 Cookies on our websites
a) Necessary cookies and comparable technologies (“Necessary Cookies”)
b) Statistical cookies and similar technologies (“Statistical Cookies”)
Statistical Cookies are used in order to analyse and improve our website on the basis of general user behaviour. The cookies collect information on how visitors collectively use a website, e.g. which pages they most frequently view and whether they receive error messages from websites. All information collected with the aid of these cookies is used exclusively in order to understand and improve the functionality and service of the website.
The legal basis for the use of analysis cookies and the processing of your data by the provider of these cookies is established by your prior consent (Art. 6 (1)(a) of the GDPR). You may withdraw your consent at any time by adjusting the cookie settings, which you can access via the link at the top of this website.
c) Functional cookies
We use functional cookies to improve and simplify the use, performance and security of our website.
The legal basis for the use of functional cookies and the processing of your data by the provider of these cookies is established by your prior consent (Art. 6 (1)(a) of the GDPR). You may withdraw your consent at any time by adjusting the cookie settings, which you can access via the link at the top of this website.
d) Marketing cookies
Marketing cookies are used to coordinate advertising that is better targeted to you and your interests. They are also used to limit the number of times you will be shown the same advertisement, to measure the effectiveness of an advertising campaign and to understand the way people behave after viewing an advertisement. These cookies are usually placed on the website operator’s website by advertising networks, with the approval of the website operator (i.e. by us in this case). They identify that a user has visited a website and pass this information on to other parties, e.g. advertising companies, or customise advertising themselves in order to reflect this. They will often be linked to a website functionality that has been provided by this company.
The legal basis for the use of marketing cookies and the processing of your data by the provider of these cookies is established by your prior consent (Art. 6 (1)(a) of the GDPR). You may withdraw your consent at any time by adjusting the cookie settings, which you can access via the link at the top of this website.
If the user is visiting our website for the first time, a data protection notice will be displayed to him/her on the homepage with the consent wording for allowing optional cookies. By clicking on the individual categories (analysis, security, marketing and advertising cookies) and then confirming the selection by clicking on “Accept”, you agree to the placement of these cookies. You can adjust and change these settings at any time in the cookie settings, which you can access via the link at the top of this website.
2.3 Exchange of data with third parties, data recipients
Your personal data will sometimes be transferred to or received by third parties. We will never sell your personal data to third parties. Categories and examples of third parties to whom we send your personal data:
- We use test laboratories, which are responsible for analysing your Test swabs. If you undergo the Test in Germany, we will send your Test swab to Laborpraxis Hüter or MVZ Düsseldorf Centrum GbR. Our responsible test laboratory for tests administered in Belgium is Eurofins Labo Van Poucke and in the Netherlands it is Laborpraxis Hüter. In Luxembourg, we use Laboratories Reunies S.A. in Luxembourg as our test laboratory. In the case of the rapid antigen tests administered at our testing centres in Luxembourg, we send an image of the Test Result to our partner, Laboratories Reunies S.A., in Luxembourg to validate the Test. This is carried out on an anonymous basis. The legal basis for the transmission to the relevant test laboratory responsible for processing your Test is your consent to this, Art. 6 (1)(a) of the GDPR.
- In case you have booked the issuance of the online test certificate, we use the services of eyeson GmbH, Plüddemanngasse 106, 8042 Graz, Austria, for the execution of the same, in particular for the secure recording and transmission of the respective video recording.
- Pharmacies: If you wish to undergo a Test administered by one of our partner pharmacies, we will transfer your data to the pharmacy you have selected. The legal basis for this consists of performing the contract with you (Art. 6 (1)(b) of the GDPR) and your consent, Art. 6 (1)(a) of the GDPR.
- We can send your data concerning the Test Result to the Robert Koch Institute (in this respect, see section 2.2.5).
- We exchange payment data with our external payment services provider Stripe Inc. and PayPal (Europe) S.à r.l. & Cie, S.C.A: We charge a fee for the testing services and issuance of a certificate, which is paid via an external service provider. Performance of the contract with you forms the legal basis for this, Art. 6 (1)(b) of GDPR.
- We may, if necessary, engage technical service providers to provide general IT services, operate and host our websites and carry out the electronic delivery of the Test Results. In particular, ND Business IT GmbH is the service provider we use in this area. These service providers act as our processors; see Art. 28 of the GDPR. In such cases we remain responsible for the data processing; the transfer and processing of personal data to and by our processor takes place on the respective legal basis that permits us to carry out the processing in the given case. A separate legal basis is not necessary.
- Supervisory Authorities: We exchange data with supervisory authorities (such as the competent local health authorities or the competent data protection authorities) where this is required by the supervisory authorities for compliance with their official duties. This is required by law. In the event of a positive Test Result we are required by law to pass on your personal data and your positive Test Result to the relevant health authority that is responsible in your case. The legal basis for this is constituted by our legal obligations and/or the public interest in the area of public health under the applicable local legislation, Art. 6 (1)(c) and (e) of the GDPR and Art. 9 (2)(g) and (i) of the GDPR.
It is possible that the above-mentioned processors or other data recipients may also have offices abroad. Insofar as such offices are located in countries outside the European Economic Area that are not covered by an Adequacy Decision of the European Commission, we will ensure the protection of your personal data and the enforceability of your rights by means of appropriate guarantees (e.g. by means of standard contractual data-protection clauses, which the European Commission has issued or approved).
2.4 Access to functions and sensors on your mobile end device
2.4.1 Location data
You can use our App to display the partner test centres that are located close to you.
In order that we can offer you individual services that are aligned to your current location, you will need to have consented to “geolocalisation” in the operating system settings (e.g. under “positioning services”) of your mobile end device for the purposes of using our App. In the settings section you can choose whether to allow position fixing for the App generally, or only during use of the App, or only individually.
If you would like to use our App to find your nearby test centres but you have not released the location data, we will notify you of this via a pop-up message so that you can adjust your settings as necessary.
You can alter or cancel the function in the operating system settings of your mobile telephone at any time.
The legal basis for the processing of your location data is your consent to this, in accordance with Art. 6 (1)(a) of the GDPR.
2.4.2 Camera/photos/media/files on your mobile end device/ USB memory content (read, change, delete)
With your permission, Ecocare accesses the storage of your device in order to allow you to save your invoices and test certificates as a PDF on your device via the app.
The legal basis for the processing is Art. 6 (1) lit. b GDPR, as the access is necessary to facilitate the respective storage requested by you and thus to perform the contract with you. We do not store any personal data about you in our systems in connection with the access.
2.4.3 Wi-Fi connection information
EcoCare analyses the status of your device's internet connection via the respective SSID/BSSID to notify you if the app cannot function as desired due to a lack of internet connection.
The legal basis for the processing is our legitimate interest in providing you with a user-friendly app (Art. 6 (1) lit. f DSGVO). We do not store any personal data about you in our systems in connection with the access.
2.5 Storage period
Unless otherwise specified in this Policy, we will store personal data only for as long as this is necessary in order to comply with our statutory obligations. We will then erase the personal data immediately. However, we are required to store certain types of personal data for longer periods on statutory grounds.
- In Germany: we are obliged under the German Commercial Code (Handelsgesetzbuch), the German Tax Code (Steuergesetzbuch), the German Banking Act (Kreditwesengesetz), the German Money Laundering Act (Geldwäschegesetz) and the German Securities Trading Act (Wertpapierhandelsgesetz) to store certain types of personal data for a mandatory period of 2 – 10 years. In addition, we also store certain types of personal data for evidentiary purposes in civil proceedings.
- In the Netherlands: we are obliged under the (Dutch) Commercial Code, the Dutch Tax Code, the Dutch Credit and Loans Act, the Dutch Money Laundering Act and the Dutch Securities Act to store certain types of personal data for a mandatory period of 2 – 7 years.
- In Luxembourg: we are obliged to store certain types of personal data for a mandatory period of 2 – 7 years pursuant to the (Luxembourg) Commercial Code, the Luxembourg Tax Code, the Luxembourg Credit and Loans Act, the Luxembourg Money Laundering Act and the Luxembourg Securities Act. In addition, we also store certain types of personal data for evidentiary purposes in civil proceedings.
- In Belgium: we are obliged, pursuant to the Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data, to store certain types of personal data in a form that does not permit identification of the data subject and for a period that does not exceed the duration of the purposes for which the personal data are being processed. Other types of personal data that relate to occupational medicine, accounting and taxes, work, social insurance and/or anti-money laundering must be stored for a period of 5 – 15 years pursuant to the (Belgian) Code of 28 April 2017 on Health and Safety in the Workplace, the (Belgian) Royal Decree of 8 August 1980 Regarding the Keeping of Social Documents, the Belgian Tax Code, the Belgian Code of Economic Law and the Belgian Anti-Money Laundering Act.
Ecolog is obliged towards the Belgian health authorities for submitting the correct NRN and CTPC code. Concerning the booked tests which require the CTPC code, Ecolog shall have the right to contact you in order to verify the correctness of the CTPC and NRN code within one year from conducting the test.
To this end, Ecolog is obliged to store your personal data for one year when booked a test requiring a CTPC code due to Belgian governmental regulations.
2.6 Data protection rights
As part of the applicable legal requirements from time to time in force, you have the following data protection rights which you can assert at any time using the address specified in section “2.1 Controller responsible for the processing and contact details”, with the addition of “FAO: Data Protection Officer (Datenschutzbeauftragter)” or by email to firstname.lastname@example.org.
2.6.1 Right of access
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed (Art. 15 of the GDPR). Where this is the case, you have a right of access to this personal data. As a general rule, you may request a free copy of your personal data. However, Ecolog may charge a fee if you request additional copies.
2.6.2 Right to data portability
You have the right to receive the personal data concerning you, which you have provided to Ecolog, in a structured, commonly used and machine-readable format (e.g. PDF) (Art. 20 of the GDPR). You also have the right to transfer your personal data to another legal entity.
2.6.3 Right to rectification
You have the right to obtain the rectification of inaccurate personal data concerning you and the completion of incomplete personal data (Art. 16 of the GDPR).
2.6.4 Right to erasure
You have the right to erasure of your personal data (Art. 17 of the GDPR). However, Ecolog may be obliged under applicable law to store certain personal data even after receiving your request for erasure of your personal data (for further information, see “2.5 Storage period”).
2.6.5 Right to restriction of processing
You have the right to obtain restriction of processing of your personal data (Art. 18 of the GDPR).
2.6.6 Right to object
You have the right to object to processing of the personal data concerning you if the processing is based on the legitimate interests of Ecolog (unless we can demonstrate compelling legitimate grounds for the processing) or if the personal data are being processed for direct marketing purposes (Art. 21 of the GDPR).
2.6.7 The right to lodge a complaint
You have the right to lodge a complaint with a competent supervisory authority. You may also exercise this right with a supervisory authority in your place of residence, your work location or the place of the alleged infringement.
2.6.8 Right to withdraw consent
Insofar as the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time with future effect. For the purposes of your consent to the Test and notification of the Test Result, this means that we will not discontinue the processing explained above (see 2.2.3) after the swab has been taken.
2.6.9 No automated decision making, including profiling
We do not use any automated decision-making processes, including profiling, according to Art. 22 (1) and (4) of the GDPR.
3. Security measures
Ecolog has introduced extensive security measures to ensure the security of personal data. This includes the following measures:
- Organisational measures: Preparation and implementation of an internal control plan, alongside regular instruction and further training of employees;
- Technical measures: Management of access rights to its systems, installation of an access control system, encryption of certain types of personal data and installation of security software;
- Physical measures: Restriction of access to all internal data centres (e.g. computer rooms or data storage rooms) and
- Contractual measures: Third parties hosting our systems are contractually bound to comply with our instructions and are subject to regular monitoring.
4. Amendments to this Policy
Ecolog strives to maintain the highest possible standards and continuously improve its services. This may therefore mean that we will change our services from time to time. Such changes may affect the processing of personal data. We reserve the right to amend this Policy at any time. The latest version from time to time in force is available at: www.ecocare.center. We recommend that you regularly check the latest status of this Policy.
This version of the data privacy notice is valid since December 2021.