Privacy Policy

Data protection

Status: 02/21/2022

The protection of your personal data is important to us. We have taken all technical and organizational measures to ensure that the regulations on data protection in accordance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other legal regulations are observed by us and by service providers.

The following information on data protection is intended to inform you about our handling of the collection, use, processing and disclosure of your personal data.

Data protection

  1. Name and address of the person responsible and scope
  2. Contact details of the data protection officer
  3. definitions
  4. Use of the Nova App websites
  5. Web analysis by Matomo (formerly PIWIK)
  6. Use of cookies on the Nova App websites
  7. Use of the contact form on the Nova App websites
  8. Use of the Nova app
  9. data security
  10. Technical and Organizational Measures (“TOM”)
  11. Hosting and Subcontractors
  12. Transfer of data to third parties or to a third country
  13. Left
  14. Your rights / rights of data subjects
  15. Others
  16. Change to our privacy policy

1. Name and address of the person responsible and scope

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

RLE Nova GmbH (hereinafter “RLE”)
Brodhausen 1
51491 Overath
Telephone +49 (0) 221 | 8886-0
Fax +49 (0) 221 | 88 86-502
info@rle.de

This data protection declaration applies to the Internet offering that can be called up under the domain www.nova-app.de and the various subdomains and associated domains (hereinafter referred to as ” Nova App websites ” or “this website”).

Furthermore, this data protection declaration applies to the offered app including the system behind it:

a. RLE as responsible

Users can register with the Nova App for its use, for which it is necessary to provide registration and contact data. Users can also upload COVID-19 vaccination and testing certificates to the Nova app. RLE is responsible for the registration and this data.

b. RLE as processor

In addition, operators of facilities and organizers of events (e.g. sports facilities, theaters, concert halls, sporting events, congresses, trade fairs) can use the Nova App to manage user access to their facilities and user participation in their event and monitor (collectively, the “Operators”). The Nova App can also be used to track the temporary stay of a user in a specific facility or participation in a specific event, to provide this information to the authority responsible for health protection (e.g. the health department) in the case of an infected person to identify potential Provide contact persons and thus enable contact tracing for the purpose of health protection. As part of this use of the Nova App, RLE acts as a processor for the respective operator, who is responsible for the processing of this data.

2. Contact details of the data protection officer

If you have further questions about the collection, processing and use of your personal data, please contact our data protection officer:

RLE Nova GmbH
Data Protection Officer
Brodhausen 1
51491 Overath

datenschutz@rle.de

3. Definitions

The data protection declaration of the RLE is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public as well as for our customers and business partners. To ensure this, we would like to explain the terms used in advance.

We use the following terms, among others, in this data protection declaration:

  1. a) Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered to be identifiable if, directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or to one or more special features, the expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified.

  1. b) Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

  1. c) Processing

Processing is any process carried out with or without the help of automated procedures or any such series of processes in connection with personal data such as collecting, recording, organizing, organizing, storing, adapting or changing, reading out, querying, using, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction.

  1. d) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of restricting their future processing.

  1. e) Profiling

Profiling is any type of automated processing of personal data, which consists in using this personal data to evaluate certain personal aspects relating to a natural person, in particular aspects relating to work performance, economic situation, health, personal Analyze or predict that natural person’s preferences, interests, reliability, behavior, whereabouts or relocation.

  1. f) Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data not assigned to an identified or identifiable natural person.

  1. g) Controller or data controller

The person responsible or responsible for processing is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. If the purposes and means of this processing are specified by Union law or the law of the Member States, the person responsible or the specific criteria for his naming can be provided for by Union law or the law of the Member States.

  1. h) Processors

Processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible.

  1. i) Recipient

Recipient is a natural or legal person, public authority, institution or other body to which personal data is disclosed, regardless of whether it is a third party or not. However, authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law are not considered recipients.

  1. j) Tthird party

Third party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or the processor, are authorized to process the personal data.

  1. k) Consent

Consent is any expression of will voluntarily given by the data subject in an informed manner and unequivocally for the specific case in the form of a declaration or other clear confirmatory action with which the data subject indicates that they consent to the processing of their personal data is.

4. Use of the Nova App websites

a. Scope of processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected here:

(1) Information about the browser type and version used

(2) The IP address of the user ( only anonymous )

(3) Date and time of access

(4) Request method, called URL and version of the HTTP protocol

(5) Result value of the request (HTTP status code) and the size of the call

(6) Websites from which the user’s system accesses our website

(7) Websites accessed by the user’s system via our website

The data is also stored in the log files of our system. This does not affect the IP addresses of the user or other data that enable the data to be assigned to a user. A storage of this data together with other personal data of the user does not take place or only anonymously .

b. Legal basis

The legal basis for the temporary storage of the data is the legitimate interest (Art. 6 Para. 1 lit. f GDPR).

c. Purpose of processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the IP address of the user must remain stored for the duration of the session.

Storage in log files takes place to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

Our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR.

i.e. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended .

If the data is stored in log files, this is the case after 60 days at the latest . Storage beyond this is possible. In this case, the IP addresses of the users are deleted or alienated so that it is no longer possible to assign the calling client.

e. Possibility of objection and elimination

The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

5. Web analysis by Matomo (formerly PIWIK)

a. Scope of processing

We use the open source software tool Matomo (formerly PIWIK) on our website to analyze the surfing behavior of our users. The software sets a cookie on the user’s computer (see above for cookies). If individual pages of our website are called up, the following data is stored:

  • Two bytes of the IP address of the user’s calling system
  • The accessed website
  • The website from which the user accessed the accessed website (referrer)
  • The sub-pages that are accessed from the accessed website
  • The length of stay on the website
  • The frequency of visits to the website

The software runs exclusively on the servers of RLE or on the servers of commissioned service providers. A storage of the personal data of the users only takes place there. The data will not be passed on to third parties.

The software is set in such a way that the IP addresses are not saved completely, but 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the calling computer.

b. Legal basis

The legal basis for processing the data is the legitimate interest (Art. 6 Para. 1 lit. f GDPR) for the general use of the tool and the explicit consent (Art. 6 Para. 1 lit. a GDPR) of the user (based on the Cookie settings) for the collection of user-related statistical evaluations.

c. Purpose of data processing

The processing of users’ personal data enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to constantly improve our website and its user-friendliness. Our legitimate interest in the processing of the data according to Art. 6 para. 1 lit. f GDPR. By making the IP address anonymous, the user’s interest in the protection of their personal data is sufficiently taken into account.

i.e. Duration of storage

The data will be deleted as soon as they are no longer required for our recording purposes.

Exact time of automated deletion: 13 months after admission.

e. Possibility of objection and elimination

Cookies are stored on the user’s computer and transmitted to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

f. More information

The person concerned can prevent the setting of cookies by our website, as already described above, at any time by means of a corresponding setting in the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Matomo from setting a cookie on the information technology system of the person concerned. In addition, a cookie already set by Matomo can be deleted at any time via an Internet browser or other software programs.

Furthermore, the person concerned has the option of objecting to and preventing the collection of data generated by Matomo and related to the use of this website. To do this, the person concerned must set “ Do Not Track ” in their browser.

With the setting of the opt-out cookie, however, there is the possibility that the Internet pages of the person responsible for processing can no longer be used in full for the person concerned.

Further information and Matomo’s applicable data protection regulations can be found at https://matomo.org/privacy .

6. Use of cookies on the Nova App websites

a. Scope of processing

The Nova App websites use cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. If a user calls up a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic character string that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change.

All details on the use of cookies can be viewed via the integrated tool. The “Cookie Details” link lists all cookies grouped by category. Non-essential cookies are deactivated by default in accordance with the privacy-by-default principle.

The following screenshots show the tool on the start screen when the website is called up for the first time and in the data protection settings with detailed information on all cookies.

The cookies are divided into the following categories:

Technically required (“Essential”)

These are strictly necessary cookies that are needed in order to enable you to move around a website and use its features. Without these cookies, some functionalities cannot be guaranteed.

Performance (“Statistics”)

Performance cookies collect information about how a website is used – for example which pages a visitor visits most often and whether he receives error messages from a page. These cookies do not store any information that would allow the user to be identified. The information collected is aggregated and thus evaluated anonymously . These cookies are only used to improve the performance of a website and thus the user experience.

Third Party Providers (“External Media”)

Third party cookies are created by embedded plugins or addons on our website. An example of this is the integration of Google Maps.

a. Legal basis

The legal basis for the processing of personal data using technically necessary cookies is legitimate interest (Art. 6 Para. 1 lit. f GDPR).

The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 Para. 1 lit. a GDPR

b. Purpose of processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these it is necessary that the browser is recognized even after a page change.

The user data collected by technically necessary cookies are not used to create user profiles.

Performance cookies are used to improve the quality of our website and its content. Through these statistics, we learn how the website is used and can thus constantly optimize our offer.

c. Duration of storage

Cookies are stored on the user’s computer and transmitted to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

The default expiry time and further information on the respective cookies can be found in the list of tools as described in the process.

i.e. Further possibilities of restriction by the user

Furthermore, users can take the following steps to activate the “Do Not Track” function in common browsers:

Please note that you can set your browser so that you are informed about the setting of cookies and can decide individually whether to accept them or exclude the acceptance of cookies for certain cases or in general. Each browser differs in the way it manages cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings. These can be found for the respective browsers under the following links:

Please note that if cookies are not accepted, the functionality of our website may be restricted.

2. Use of the contact form on the Nova App websites

a. Scope of processing

There is a contact form on our website which can be used to contact us electronically. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and saved. These dates are:

  • Name (optional)
  • Company (optional)
  • Address (optional)
  • E-mail address
  • Message

At the time the message is sent, the following data is also stored:

  • The IP address of the user
  • Date and time of registration

Alternatively, you can contact us via the email address provided. In this case, the user’s personal data transmitted with the e-mail will be stored.

In this context, the data will not be passed on to third parties. The data will only be used to process the conversation.

b. Legal basis

The legal basis for processing the data is the legitimate interest (Art. 6 Para. 1 lit. f GDPR).

The legal basis for the processing of the data that is transmitted in the course of sending an e-mail is also the legitimate interest (Art. 6 Para. 1 lit. f GDPR). If the e-mail contact is aimed at concluding a contract, the legal basis for processing is the implementation of pre-contractual measures (Article 6 (1) (b) GDPR).

c. Purpose of data processing

The processing of the personal data from the input mask serves us solely to process the contact. If contact is made by e-mail, this is also the necessary legitimate interest in the processing of the data.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

i.e. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is over when it can be inferred from the circumstances that the facts in question have been finally clarified.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

e. Possibility of objection and elimination

The user has the option to object to the storage of personal data at any time. If the user contacts us by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

All personal data that was saved in the course of making contact will be deleted in this case.

3. Use of the Nova App

When using the Nova App, various personal data and information are requested, which are stored in our systems for various purposes. As explained at the beginning, some processing is carried out by RLE under its own responsibility (see a.), while other processing is carried out by RLE on behalf of an operator of a facility or event (order processing, see b.). In detail:

a. RLE as responsible

(1) Scope and purpose of processing during registration

The following data is collected when a user registers with the Nova app:

  1. credentials
  • Name first Name
  • E-mail address (possibly also pseudonymised with Apple)
  • Date of birth (only for the purpose of determining the required minimum age of the applicant of 16 years).

  1. Contact details

In order to enable contact tracing with regard to health protection (e.g. in the case of COVID-19 infections), we store the following data in addition to your login data when you register:

  • Telephone number (mobile phone)
  • Address (street, zip code, city, country)

  • Image data

In the course of registration, image data is collected for identification. With the user’s consent, this image data is converted into biometric data / distance data, on the basis of which the check-in can be carried out on site at the hygiene column. The user also has the option of using the photo taken during registration as a profile photo and sending it to the operator of a facility or event.

(2) Add vaccination and testing certificates

The Nova App offers users the option of importing vaccination and test certificates from other sources (e.g. the Corona-Warn-App) into the Nova App user account.

(3) Self-test at participating test centers

Nova App users can get tested for COVID-19 at participating testing centers listed in the Nova App. The participating test centers provide a QR code on site that users can scan using the Nova app. Then, with the user’s consent, the registration data and contact details required to carry out the test (see above, Section 8 a. (1) i. and ii.) will be transmitted by RLE to the respective test center. The corresponding test certificate is created by the test center via the Nova app and stored there in the user account. The test center processes the data transmitted by the user, the swab samples taken and the test result (positive / negative / ambiguous test result) for identification purposes, for the assignment of samples and test results, for the administrative processing of the desired examination, as well as for testing, statistical and billing purposes. The test certificate is then stored in the user account of the user concerned in the NOVA app for their purposes of use.

(4) Use of the Robert Koch Institute’s Corona warning app for test certificates

Users have the option of using the Robert Koch Institute’s Corona Warn App to call up their test result for an antigen test. For more information, see no. 8.g. described.

(5) RLE can process user data anonymously for statistical purposes.

b. Scope and purpose of processing when visiting a facility or attending an event (RLE as processor)

If the user decides to use the Nova App when visiting a facility or participating in an event, the operator of the facility or event is responsible for this visit or participation in the sense of data protection law, while RLE controls the data processing via the Nova App carries out on its behalf by way of order processing.

A user first receives an invitation from the operator for an event or a series of several events or visits, for which the user then registers. Here, the under no. 8 a. (1) i. and ii. described data of the user is transmitted to the operator. The operator will also be informed whether the user meets the applicable certificate requirements (e.g. negative COVID-19 antigen test, full vaccination certificate); the certificates themselves are not transmitted to the operator. The operator collects further personal data from the participant as part of its events:

  • Times and place of stay

As part of the contact tracing regarding health protection (e.g. in the case of COVID-19 infections), we store the time of your stay in the facility or at the event on behalf of the respective operator in order to be able to report this to the authority responsible for health protection (e.g. the health department ) in the case of an infected person to identify potential contacts to enable contact tracing. The following data is collected:

  • Time at which the facility/event is entered (“Check-In”)
  • Time at which the facility/event is left (“Check-Out”)
  • Name of facility/event and its address

  • health issues

In order to decide whether a person should be granted access to a facility/event, we ask users of the Nova App certain health questions on behalf of the respective operator. The answers to the health questions are not stored by us, but only used by the operator to decide who should be granted access to a facility or event.

  • On-site test by a test center or doctor commissioned by the operator

If necessary, COVID-19 tests may be carried out on site by a test center or doctor commissioned by the operator. The corresponding test result/certificate is stored in the Nova app by the operator or the test center or doctor commissioned by him and used by the operator for his participation or visitor management for his event, event series or facility.

  • Health data and quick test slot

As part of participation and visitor management, we collect and store the following data on behalf of the respective operator:

  • Body temperature (normal, elevated) (not saved)
  • Date/time slot and location for on-site quick tests
  • Copy of SARS-CoV-2 test results (e.g. PCR, rapid tests), which are carried out in accordance with the above no. (3) carried out on site on behalf of the operator.

  • Possible use of a profile photo to register for events

If an operator collects profile photos of the participants when registering for access to a facility or participation in an event, the user has the option of using the photo collected during registration, on the basis of which the check-in is carried out on site at the hygiene column, to use.

With each check-in, the user receives an automated e-mail confirming the check-in. This function can be deactivated by the user via a link in each relevant e-mail.

c. Legal bases

If RLE collects personal data as the person responsible as part of the user’s registration for the Nova App, this processing is based either on the user’s consent given to RLE (Article 6 (1) (a) GDPR) or on necessity for the fulfillment of the contract (Art. 6 Para. 1 lit. b GDPR) that the user has concluded with RLE in order to be able to use the Nova App.

If a user takes the opportunity to import vaccination and test certificates from other sources (e.g. the Corona-Warn-App) into the Nova App, this processing is based on the user’s consent (Art. 6 Para. 1 lit. a DSGVO) .

If RLE processes user data anonymously for statistical purposes, the anonymization takes place on the basis of legitimate interest (Art. 6 Para. 1 lit. f DSGVO).

If a user is tested for COVID-19 in a participating test center, the required registration data and contact details (see above, Section 8 a. (1) i. and ii.) are transmitted by RLE to the respective test center and stored of the corresponding test certificate in the Nova App on the basis of the user’s consent given to RLE (Article 6 (1) (a) GDPR). The test center processes the data transmitted by the user, the swab samples taken and the test result (positive / negative / inconclusive test result) on the basis of the user’s consent, which the user gives to the respective test center via the Nova app (Art. 6 para. 1 lit. a GDPR). With regard to this data, RLE acts as the processor of the respective test center and, as its receptionist, accepts the user’s declaration of consent via the Nova App.

After transmission of the under no. 8 a. (1) i. and ii. The user’s data described to the operator, which is based on the user’s consent (Art. 6 Para. 1 lit. a DSGVO), will be processed further when using the Nova App when visiting a facility or participating in an event , carried out by RLE as the processor according to the instructions and on behalf of a person responsible in terms of data protection law, i.e. the respective operator of the facility or event. The relevant legal basis for the processing of data in the course of using the Nova App for contact tracing with regard to health protection (e.g. in the case of COVID-19 infections) is the fulfillment of a legal obligation by the operators of the facilities or events that use the Nova App ( Article 6 (1) (c) GDPR). The corresponding obligation results from the respective country-specific Coronavirus Protection Ordinance – CoronaSchV or other relevant health protection regulations.

The data collected by the Nova App beyond the country-specific health protection regulations for the purposes of visitor and participation management and access control by the operator, for billing purposes and for statistical purposes are based either (a) on the consent of the user, which he gives to the respective operator of the facility or event (Art. 6 Para. 1 lit. a DSGVO), whereby RLE acts in its role as the processor of the respective operator as its receptionist and accepts the user’s declaration of consent via the Nova app, or (b) on the necessity for the fulfillment of a contract (Art. 6 Para. 1 lit. b DSGVO) that the user has concluded for visiting a facility or participating in an event.

i.e. Duration of storage

  • credentials

Registration data is stored for as long as the user is actively using the account. After a period of 180 days of inactivity , in which no logins are recorded by the system, the user is automatically notified by email. If there is no login in the following 21 days either, the data will be automatically deleted after these 201 days .

The linking of all other data (contact data) with the user account is then also canceled.

  • Contact details

Contact data is managed in the same way as the registration data.

They are stored for as long as the user is actively using the account. After a period of 180 days of inactivity , in which no logins are recorded by the system, the user is automatically notified by email. If there is no login in the following 21 days either, the data will be automatically deleted after these 201 days .

  • Image data for identification

The image data for identification is stored in the same way as the registration data for as long as the user is actively using the account. As soon as the consent is revoked or at the latest after a period of 180 days of inactivity in which no logins are recorded by the system, the user will be automatically notified by e-mail. If there is no login in the following 21 days either, the data will be automatically deleted after these 201 days .

  • Times and place of a user’s stay

Times and places of stays will be deleted no later than one month after the end of the respective event.

  • Health issues

The answers to the health questions are only used by the respective operator to decide who should be granted access to a facility or an event, but are not stored.

  • Health data

The body temperature is also only used by the respective operator to decide who should be granted access to a facility or an event, but is not saved. Vaccination certificates remain in the Nova App for as long as the user chooses; the user can delete this information from the Nova app at any time. COVID-19 rapid test results are automatically deleted after 7 days, COVID-19 PCR test results after 21 days; the user also has the option of deleting this information from the Nova app beforehand. All other health data will be deleted no later than one month after the end of the event in question.

  • Possible use of a profile photo to register for events

Like the login data, the profile photo is stored for as long as the user is actively using the account. As soon as the consent is revoked or at the latest after a period of 180 days of inactivity in which no logins are recorded by the system, the user will be automatically notified by e-mail. If there is no login in the following 21 days either, the data will be automatically deleted after these 201 days .

e. Voluntary

The provision of your data in the course of registering with the Nova App is voluntary. Nevertheless, without this provision, we cannot contact you, send you information and fulfill the other purposes mentioned.

Insofar as we request this data from you on behalf of the respective operator of the facility that you wish to visit or of the event in which you wish to take part, the provision of your data is also voluntary. In this case, your legal relationship with the operator decides on the consequences of not providing the data you have requested.

f. Disclosure of Data to Third Parties

The under no. 8 a. (1) i. and ii. The data described will be passed on to the authorities responsible for health protection (e.g. the health authorities) in the event that COVID-19 contact tracing is necessary.

If the user checks in with operators who use the Nova App and the check-in procedure via RLE (by scanning the QR code of an operator by the user), the operator is given a temporary, one-time display of the Registration and contact data within the Nova app are given the possibility of control. This is necessary to enable the operators to comply with their legal control obligation to ensure the correctness of the data. Although the data is displayed to the operators via the Nova App, it is not stored by the operator.

In addition, we do not pass on user data to third parties without the prior express consent of the user. A transfer to a third country is also excluded, unless a user is located in a third country himself.

G. Use of the Robert Koch Institute’s Corona-Warn-App for test certificates

Users have the option of using the Corona Warn App (“ Corona-Warn-App ”) of the Robert Koch Institute (“ RKI ”) to call up their test results of an antigen test. In order for users to be able to call up their test result via the Corona-Warn-App, it is necessary for the test result to be transmitted from the test center to the server system of the RKI. In short, this is done by the test center storing the test result, linked to a machine-readable code, on a dedicated RKI server. The code is a pseudonym of the user; further information about the user is not required to display the test result in the Corona-Warn-App. However, users have the option of personalizing the display of the test result by entering their last name, first name and date of birth. The code is formed from the intended time of the test and a random number. The code is formed by offsetting the aforementioned data with one another in such a way that it is no longer possible to calculate the data back from the code. Users receive a copy of the code in the form of a QR code, which can be read into the Corona-Warn-App using the camera function of a smartphone. Alternatively, users can also receive the pseudonymous code as an Internet link, which can be opened and processed by the Corona-Warn-App. This is the only way to link the test result to the Corona-Warn-App. With their consent, users can then call up their test results using the Corona-Warn-App. The test result is automatically deleted from the RKI server after 21 days. If a user agrees to the transmission of his pseudonymous test result by means of the code to the Corona-Warn-App infrastructure for the purpose of retrieving the test, he can consent to this via the Nova App. Users can revoke their consent at any time with effect for the future. Due to the existing pseudonymization, however, an assignment to the person of the user cannot be made, so that the data is only automatically deleted after the 21-day storage period has expired. Details on this are also available in the data protection notices of the RKI’s Corona-Warn-App.

4. Data Security

RLE and all contract processors used maintain current technical and organizational measures (“TOM”) to ensure data security, in particular to protect your personal data from dangers during data transmission and from third parties gaining knowledge. These are adapted in accordance with the current state of the art.

5. Technical and Organizational Measures (“TOM”)

A detailed overview of the current technical and organizational measures used for the respective data processing can be provided at any time on request.

6. Hosting and Subcontractors

a. Overview of the processors

Company

Incl. address

Processing / purpose

Type of data

Place of

data management

Categories of those affected

Advertising agency LAWRENZ – The quality

Grossdresbach 5, 51491 Overath

Storage of website hosting data

Site data

Germany

Users of the site

Google Ireland Limited

Gordon House

Barrow St

Dublin 4

Ireland

Storage of data for hosting the app

All data collected in the course of using the app

Germany

App users incl. operator

a. More information about LAWRENCE

To operate the websites at www.nova-app.de, RLE uses the services of the company “Advertising agency LAWRENZ – Die Qualitätser”, Großdresbach 5, 51491 Overath, Germany ( hereinafter LAWRENZ ).

This currently uses the web hosting provider Host Europe GmbH, Hansestrasse 111, 51149 Cologne, to operate the above-mentioned pages.

A web hosting provider provides the technical infrastructure such as servers, databases, web space, FTP access and the like that are required to operate a website. This means that personal data collected directly by RLE in the course of visiting the Nova App websites is stored in databases whose infrastructure is made available by Host Europe.

The data protection declaration of Host Europe GmbH can be viewed at https://www.hosteurope.de/AGB/Datenschutzerklaerung/

RLE has also concluded an order processing contract with LAWRENZ. This contract regulates the scope, type and purpose of the processing options of LAWRENZ.

b. Learn more about Google

For the provision of the Nova App (hosting) and the associated services, RLE uses the services of the company “Google Ireland Limited”, Gordon House Barrow Street, Dublin 4, Ireland (hereinafter Google ).

Google provides the technical infrastructure, such as servers, databases and similar, which are required to operate the Nova App. This means that personal data collected directly by RLE, as described above, is stored in databases whose infrastructure is made available by Google.

To ensure the security of the data, RLE selects the processors very carefully and only according to the highest standards. For example, Google holds the following internationally recognized certifications for the affected services: ISO 27001, 27017, 27018.

RLE has also concluded an order processing contract with Google. This contract regulates the scope, type and purpose of Google’s processing options.

2. Transfer of data to third parties or to a third country

Our employees and the service companies commissioned by us are bound by us to maintain confidentiality and to comply with the provisions of the current data protection laws. Access to personal information by our employees is limited to those employees who need the information in order to perform their job responsibilities.

3. Left

If you use external links that are offered on our website, this data protection declaration does not extend to these links.

If we offer links to other websites, we endeavor to ensure that they also comply with our data protection and security standards. However, we have no influence on compliance with data protection and security regulations by other providers. Therefore, please inform yourself on the websites of the other providers about the data protection declarations provided there.

4. Your rights / rights of data subjects

If personal data is processed by you, you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the person responsible. If RLE acts as a processor for operators of facilities or events as part of the Nova app offer, the following rights exist vis-à-vis the respective operator and can be asserted against them via the Nova app. Any rights can also be asserted against the data protection officer of RLE:

RLE Nova GmbH & Co. KG
Data Protection Officer
Brodhausen 1
51491 Overath

datenschutz@rle.de

a. Right of providing information

You can request confirmation from the person responsible as to whether personal data relating to you is being processed by us.

If such processing is present, you can request information from the person responsible for the following information:

(1) the purposes for which the personal data are processed;

(2) the categories of personal data being processed;

(3) the recipients or categories of recipients to whom your personal data has been or will be disclosed;

(4) the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage duration;

(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the person responsible or a right to object to this processing;

(6) the existence of a right of appeal to a supervisory authority;

(7) all available information about the origin of the data, if the personal data are not collected from the data subject;

(8) the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether your personal data is being transmitted to a third country or to an international organization. In this context, you can request information about the appropriate guarantees in accordance with Art. 46 GDPR to be informed in connection with the transfer.

b. Right to Rectification

You have a right to correction and/or completion to the person responsible if the processed personal data concerning you is incorrect or incomplete. The person responsible must make the correction immediately.

c. Right to restriction of processing

Under the following conditions, you can request the restriction of the processing of your personal data:

(1) if you dispute the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you refuse to have the personal data erased and instead request that the use of the personal data be restricted;

(3) the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or

(4) if you object to the processing pursuant to Art. 21 para. 1 GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of the personal data concerning you has been restricted, this data – apart from its storage – may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State are processed.

If the restriction of processing has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.

i.e. Right to Erasure

  1. a) Obligation to delete

You can request the person responsible to delete the personal data concerning you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:

(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2) You revoke your consent, on which the processing pursuant to Art. Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for processing.

(3) You lay acc. Art. 21 para. 1 DSGVO objection to the processing and there are no overriding legitimate reasons for the processing, or you submit acc. Art. 21 para. 2 DSGVO objection to the processing.

(4) The personal data concerning you was processed unlawfully.

(5) The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.

(6) The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

  1. b) Information to third parties

Has the person responsible made the personal data concerning you public and is he/she acc. Art. 17 para. 1 GDPR, he shall take appropriate measures, also of a technical nature, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you, as the person concerned, want them to delete it all links to such personal data or copies or replications of such personal data.

  1. c) Exceptions

The right to erasure does not exist if processing is necessary

(1) to exercise the right to freedom of expression and information;

(2) to fulfill a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the controller became;

(3) for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;

(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes acc. Art. 89 para. 1 GDPR, insofar as the right mentioned under section a) is likely to make it impossible or seriously impair the achievement of the objectives of this processing, or

(5) to assert, exercise or defend legal claims.

e. Right to information

If you have asserted the right to correction, deletion or restriction of processing against the person responsible, he is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

You have the right vis-à-vis the person responsible to be informed about these recipients.

f. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another person responsible without hindrance by the person responsible for providing the personal data, provided that

(1) the processing is based on consent acc. Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract acc. Art. 6 para. 1 lit. b GDPR is based and

(2) the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible. The freedoms and rights of other people must not be impaired by this.

The right to data portability does not apply to processing of personal data that is required to perform a task that is in the public interest or in the exercise of official authority that has been assigned to the controller.

G. Right to object

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Art. 6 para. 1 lit. e or f GDPR to file an objection; this also applies to profiling based on these provisions.

The person responsible no longer processes the personal data relating to you unless he can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data concerning you is processed in order to operate direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you object to the processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.

In connection with the use of information society services, you have the option – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures that use technical specifications.

H. Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation.

i. Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the person responsible,

(2) is permitted by law of the Union or the Member States to which the person responsible is subject and this law contains appropriate measures to protect your rights and freedoms and your legitimate interests or

(3) with your express consent.

However, these decisions must not be based on special categories of personal data according to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g DSGVO applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

With regard to the cases referred to in (1) and (3), the person responsible shall take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the person responsible, to express his or her point of view and to challenge the decision.

As a responsible company, we do not use automatic decision-making or profiling.

j. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, if you believe that the processing of your personal data is contrary to violates the GDPR.

The supervisory authority to which the complaint was lodged will inform the complainant about the status and the results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

5. Miscellaneous

Parts of this data protection declaration were created by the data protection declaration generator of the DGD Deutsche Gesellschaft für Datenschutz GmbH, which acts as the external data protection officer in Munich, in cooperation with the lawyer for data protection law Christian Solmecke.

6. Changes to our privacy policy

We reserve the right to change our security and data protection measures if this becomes necessary due to technical developments or legal changes. In these cases, we will also adapt our information on data protection accordingly. Therefore, please note the current version of our data protection declaration.

Scroll to Top