Privacy policy for "Alles gurgelt!" according to Article 13 GDPR

1. Joint Controllership

As part of the screening program "Alles Gurgelt!", the processing of the personal data provided by you is carried out under the joint controllership of the following project partners:

Stadt Wien, Magistratsabteilung MA 15 – Gesundheitsdienst der Stadt Wien ("Stadt Wien")
Thomas-Klestil-Platz 8/2, 1030 Wien
info@allesgurgelt.at
www.allesgurgelt.at

LEAD Horizon GmbH ("LEAD")
Walcherstraße 1A, Stiege 1, 4. Stock, 1020 Wien
datenschutz@lead-horizon.com
www.lead-horizon.com

Lifebrain COVID Labor GmbH ("Lifebrain")
Wipplingerstraße 35/10, 1010 Wien
datenschutz@lifebrain-labor.at
www.lifebrain-labor.at

For this purpose, the project partners have concluded an agreement in accordance with Article 26 (1) of the EU General Data Protection Regulation (GDPR), the essential content of which can be accessed here. LEAD acts as a contact point for the concerns of affected persons at: datenschutz@lead-horizon.com

2. Purpose of processing and legal basis

The processing of your personal data takes place within the framework of the screening program "Alles gurgelt! " and is used to determine the prevalence of the occurrence of COVID-19 in the population by means of mass testing. Prevalence is the frequency of a disease or symptom in the population at a given time. In addition, "Alles gurgelt! " You also have to obtain a test certificate or test certificate in order to be able to meet legally prescribed requirements or requirements (keyword: "3G rule").

As part of "Alles gurgelt!" data processing carried out by the (joint) controllers is carried out for reasons of public interest in the field of public health, namely for the prevention, control and monitoring of the COVID-19 pandemic (legal bases: Art 9 para 2 lit i and Art 6 para 1 lit e GDPR in conjunction with § 5a para 2 and 4 Epidemics Act 1950 ("EpiG") or for the school sector § 5a para 5 EpiG).

Please note that the provision of your data is necessary in order to participate in the test program. Since participation in the test program (i.e. in particular the implementation of the COVID-19 test) is voluntary, you will not suffer any disadvantages from not participating.

3. Data categories and organizational handling of " Alles gurgelt!"

For the aforementioned purposes (see point 2in particular the following personal data provided by you is processed: "access data" (i.e. name, e-mail address and encrypted password), "master data" (name, gender, date of birth, social security number, place of residence, telephone number, e-mail address), "test data" (time of sampling and sample evaluation, the test result, and in the case of authentication: the period of validity of the Test result, and the barcode/QR code of the test) and technical "telemetry data" (IP address, user name, transaction logs).

The data will be collected and stored by LEAD directly at your premises as part of your registration and transmitted to a Lifebrain laboratory for the purpose of laboratory medical analysis, where the sample material will be processed by qualified specialist personnel using recognized laboratory methods on the state of the art. These test results are then electronically transmitted back to LEAD by Lifebrain so that LEAD can communicate the result to you. If you voluntarily carry out an identity check (see point 4 Lifebrain will also provide you with a laboratory medical report for retrieval and download. If you have voluntarily scanned or entered a QR code of your school or institution, the test result will also be forwarded to the school/institution (see point 5, third paragraph).

In the case of a confirmed infection with SARS-CoV-2 or in the event of a pandemic with COVID-19 the laboratory must transmit also negative and invalid results to the district administrative authority (the health office) due to the legal obligation (cf. § 3 Epidemic Act 1950 and § 1 para 3 of the Ordinance on Electronic Laboratory Reports in the Register of Notifiable Diseases).

The Homecare app, which is operated by the City of Vienna as the sole controller and thus separately by LEAD and Lifebrain, also provides its users with the link to test results and test certificates stored in the register for screening programs. Further information on data processing within the framework of the Homecare app of the City of Vienna can be found in the separate data protection declaration for the Homecare app of the City of Vienna.

4. Identity verification

In the event of a successful test, you will receive proof of the result of the test. If you also want to present your test result officially (i.e. to meet certain legal requirements), we must establish your identity. For this we need a photo of your ID or your e-card. The photo of your identity document or e-card is read out and processed with the help of text recognition software. In the further course of the application, we will also take photos of you when using the Test. These photos, together with the ID card or e-card, serve to ensure that you (and no one else) use the Test yourself.

Your recordings will not be passed on to Lifebrain or other third parties. The legal basis for the processing of the recordings and ID data for the stated purpose is your consent (Art 6 para 1 lit a in conjunction with Art 9 para 2 lit a GDPR), which you give by clicking on "AUTHENTICATE". This consent is voluntary, alternatively you can also reject the identity verification by selecting "SKIP PROOF". In this case, however, you will not receive a certificate and no medical report from the partner laboratory.

5. Other data recipients

The laboratory (Lifebrain) is legally obliged to report the test result to the competent health authorities (Art. 9 (2) (i) GDPR in conjunction with § 3 (1) EpiG and § 1 (3) of the Ordinance on Electronic Laboratory Reports in the Register of Notifiable Diseases). Further information obligations with regard to your personal data (including the sample material for the purpose of sequencing) may exist at the express request of the competent health authorities (Art. 9 (2) (i) GDPR in conjunction with § 5 EpiG and § 10 (2) of the Data Protection Act).

In addition, there is a legal obligation for test centres and laboratories (such as Lifebrain) to transmit test data in electronic form to the Minister of Health, who creates an official test certificate and stores it in the so-called "EPI service" (Art. 9 (2) (i) GDPR in conjunction with § 4c (2) EpiG). The EPI service is operated by the Minister of Health and is a web service that serves the purpose of issuing and providing test certificates to test persons and thus also forms the basis for the "Green Pass". With regard to this data processing, Lifebrain and the Minister of Health are joint controllers within the meaning of Article 26 GDPR, whereby the distribution of tasks is regulated by law in § 4c (3) EpiG. Further information on data processing by the Minister of Health and the distribution of tasks between Lifebrain and the Minister of Health can be found under https://www.gesundheit.gv.at/service/gruener-pass/datenschutzinformation and under https://www.gesundheit.gv.at/service/gruener-pass/datenschutz-gemeinsame-verantwortlichkeit.

As part of the tests at schools/institutions, your data, including the test result, will be passed on to your school/institution with your consent (Art. 6 (1) (a) in conjunction with Art. 9 (2) (a) GDPR). In addition, during school tests on the basis of Art 9 (2) (i) and (j) GDPR in conjunction with § 7 (1) of the Data Protection Act, aggregated information is passed on to the respective school/institution for statistical purposes.

The data provided by you will not be transmitted by LEAD to any other third parties. Excluded is the transfer to processors, such as the hoster Hetzner Online GmbH (Industriestraße 25, 91710 Gunzenhausen, Germany), which operates an ISO-certified data center in Germany and Anyline GmbH (Zirkusgasse 13 / 2b, 1020 Vienna, Austria), which provides the software for text recognition. Processors work exclusively on the instructions of LEAD, do not use the data for their own purposes and are bound by their own agreements to the data protection obligations according to the GDPR. The data will not be transferred to countries outside the European Union.

Further information on data processing in the sole area of responsibility of the other project partners can be found in their data protection declarations (available for Lifebrain at: https://www.lifebrain-labor.at/datenschutz/#testpersonen).

6. Storage period

We delete all data related to the testing, including the photographs, already 14 days after delivery of the result. (Regarding the deletion of other data such as of the access and master data to your user account see point 9 below).

With regard to data storage by the project partners (in particular due to their statutory retention obligations), reference is made to the data protection declarations of the project partners.

7. Revocation of consent

You have the right to revoke your consent to the identification and presence recognition (see point 4) and to the forwarding of data to your school or institution (see point 5, third paragraph), thereby, however, the lawfulness of the processing carried out until the revocation or forwarding is not affected. To revoke your consent, please contact datenschutz@lead-horizon.com.

8. Your rights

You have a right to information about the personal data you process, to correction and deletion, restriction of processing as well as a right to data portability, a right to object and a right to lodge a complaint with the data protection authority; all this in accordance with the statutory provisions.

As part of the project "Alles gurgelt! " LEAD acts as a contact point for the concerns of data subjects (Art. 26 (1) GDPR). For this purpose, you are welcome to contact our data protection officer at datenschutz@lead-horizon.com

9. Operation of your user account and the web app lead-horizon.org

If you create a user account in our web app, LEAD processes your access and master data (see point 0 as well as master data of other test persons created by you in your user account for the purpose of processing COVID-19 tests on the basis of our legitimate interests (Art. 6 (1) (f) GDPR). This data will be deleted half a year after the last login.

For the operation of the web app, LEAD also processes technical telemetry data, which is necessary for the operation of the web app and the execution of the tests. LEAD also processes this data on the basis of the legitimate interest (Art. 6 (1) (f) GDPR) in smooth technical operation. This data will be deleted after 32 days at the latest.

If you contact us by e-mail, your personal data such as your e-mail address and e-mail correspondence will be processed for the purpose of customer service on the basis of the legitimate interest (Art. 6 (1) (f) GDPR) in a good customer relationship. This data will be deleted no later than 3 years after the last contact.

The web app also uses cookies, whereby only technically necessary cookies are used:

  • lead_horizon_testkit_session - The session cookie is used to recognize you during the duration of your session and is necessary to ensure the functionality of the application. As soon as you close the WebApp, the session cookie is automatically deleted.
  • XSRF-TOKEN - supports a security measure to prevent cross-site request forgery or cross-site scripting. This cookie will also be deleted at the end of your session.
  • lh_id_set - encrypted storage of your sample number in the course of retrieving the result. This cookie will also be deleted at the end of your session.
  • lh_local – the cookie adjusts your language preference and is deleted after half a year at the latest.
  • lh_domain – the cookie selects the variant of the product you are using and is deleted after half a year at the latest.
  • lh_skip_2fa – the cookie is used to make 2-factor authentication easier for the user. It will be deleted after 14 days at the latest.
  • lh_restricted – the cookie stores the information that a valid access link has been used in crisis mode and is deleted after half a year at the latest.

The data processing by cookies is based on our legitimate interest (Art. 6 (1) (f) GDPR and § 165 (3) of the Telecommunications Act 2021) in the provision of a functioning web app.

INFORMATION ON JOINT DATA PROTECTION RESPONSIBILITY FOR THE PROJECT "ALLES GURGELT!"

What is the reason for joint responsibility?

The project "Alles gurgelt!" is a test offensive initiated and carried out by the City of Vienna ("screening program" within the meaning of § 5a Epidemic Act 1950 – EpiG) in the course of the worldwide COVID-19 pandemic. For this purpose, the City of Vienna cooperates with LEAD Horizon GmbH ("LEAD") and Lifebrain COVID Labor GmbH ("Lifebrain") as project partners, whereby these project partners also process personal data within the meaning of the EU General Data Protection Regulation (GDPR) as part of the project implementation.

The cooperation and areas of responsibility of the project partners in the implementation of the COVID-19 tests within the framework of "Alles gurgelt!" are as follows:

  1. The City of Vienna has the patronage of the project and determines the organizational course of the screening program. In this respect, the City of Vienna therefore (also) defines the purposes and means of the processing of personal data. Finally, in accordance with the requirements of the City of Vienna, test results are transmitted to public authorities for the fulfilment of legal tasks (e.B. to the Register for Screening Programmes of the Minister of Health in accordance with § 5b EpiG).
  2. LEAD operates the LEAD platform (via its mobile application and website), where test persons can register and whose identity is verified. After the tests have been carried out, the test results are also communicated via the LEAD platform.
  3. Lifebrain carries out the laboratory medical evaluation of the sample material in its laboratories and communicates the test results back to LEAD. If a (voluntary) verification of the identity of the test person has been carried out, Lifebrain will also provide the test person (possibly via the owner of the user account) with a laboratory medical report for retrieval and download. In order to fulfil legal tasks and reporting obligations, test results are also transmitted to the responsible public legal entities to the extent necessary.

As part of the described implementation of COVID-19 tests – and taking into account the previously defined areas of responsibility (a) to (c) – the project partners therefore jointly determine the purposes of and the means of data processing. They are joint controllers within the meaning of Article 26 GDPR.

What have the project partners agreed?

As part of their joint responsibility under data protection law, the project partners have agreed on which of them fulfils which obligations under the GDPR. This applies in particular to the exercise of the rights of data subjects and the fulfilment of the information obligations pursuant to Articles 13 and 14 GDPR.

In particular, the project partners have agreed on the following:

  1. The processing of the data within the framework of the screening program "Alles gurgelt!" takes place on the basis of § 5a EpiG in conjunction with Art. 9 (2) (i) GDPR. The processing of the data outside the screening program "Alles gurgelt!" takes place on the basis of the consent according to Art. 6 para 1 lit a in conjunction with Art. 9 para 2 lit a GDPR. The processing of data for the purposes of proof of identity is based on the consent of the tested person (Art. 6 para. 1 lit. a in conjunction with Art. 9 (2) (a) GDPR). The consent and data protection declaration is agreed by the project partners and provided by LEAD as part of the registration process (or consent obtained) and documented.
  2. The information obligations pursuant to Articles 13 and 14 GDPR are fulfilled by a data protection declaration, which is integrated as part of the registration process on the LEAD platform (see: https://lead-horizon.org/public/legal).
  3. In order to assert their data protection rights, data subjects may contact datenschutz@lead-horizon.com. In this respect, LEAD serves as a contact point for inquiries from data subjects. The other project partners support LEAD in safeguarding the rights of data subjects.
  4. Lifebrain is responsible for ensuring that the laboratory-medical analyses of the sample material are carried out according to the state of the art. For this purpose, only qualified personnel who are subject to appropriate legal or contractual confidentiality obligations are used.
  5. The City of Vienna is responsible for ensuring that the project pursues lawful processing purposes and that test results are only transmitted to public authorities in accordance with the applicable laws.

Lifebrain is responsible for ensuring that the laboratory-medical analyses of the sample material are carried out according to the state of the art. For this purpose, only qualified personnel who are subject to appropriate legal or contractual confidentiality obligations are used.

Where can I contact as a data subject?

As the first point of contact for your data protection concerns, LEAD is available to you under the following contact options. Regardless of this, however, you have the right to assert your data protection rights against each of the joint controllers.

LEAD Horizon GmbH
Walcherstraße 1A, Stiege 1, 4. Stock, 1020 Wien
datenschutz@lead-horizon.com
www.lead-horizon.com

Stadt Wien, Magistratsabteilung MA 15 – Gesundheitsdienst der Stadt Wien
Thomas-Klestil-Platz 8/2, 1030 Wien
info@allesgurgelt.at
www.allesgurgelt.at

Lifebrain COVID Labor GmbH
Wipplingerstraße 35/10, 1010 Wien
datenschutz@lifebrain-labor.at
www.lifebrain-labor.at