3.4 Collection, processing and use of personal data when using the app
When downloading the mobile app, the required information is transferred to the App Store or the Google Play Store, i.e. in particular user name, e-mail address and customer number of your account, time of download, payment information and the individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data only insofar as it is necessary for downloading the mobile app to your mobile device.
When using the mobile app, we collect the personal data described below to enable convenient use of the functions. If you wish to use our mobile app, we collect data that is technically necessary for us to offer you the functions of our mobile app and to ensure stability and security, such as IP address or date and time of the request (legal basis is Art. 6 para. 1 p. 1 lit. f DSGVO).
3.5 What permissions does the app require?
The authorization to determine the location is required in order to be able to display the current COVID-19 incidence values in the immediate vicinity. The location data is not saved. Granting this authorization and using this function is voluntary.
Authorization to use the camera is required in order to be able to scan QR codes for the “Add vaccination, test and recovery certificates” function, for the “Self-test” function and for the test function. Granting this authorization and using these functions is voluntary.
The internet connection is required so that the app can exchange data with the server system. This is necessary for the technical operation of the app and the
Maintain and secure the server system.
The transmission of the test result to the Corona warning app of the RKI takes place with your consent by means of an internet link (“App Link”), which can be opened and processed by the app. The code is generated from the first and last name, date of birth, the identification of the test in the test site and a random number for purposes of the Corona Warning App and transferred to the server operated by the RKI. In order to personalize the test result, the first name, last name and date of birth are also transmitted to the app.
In summary, processing purposes represent registration, user login, registration with partner companies, data backup, authentication, visit data, transmission to authorized third parties, and legal requirements.
3.6 Recipients of personal data
In principle, we process personal data ourselves. Personal data is only passed on to third parties if the transfer is permitted by law, if you have expressly consented to the transfer or if there is a legal obligation to transfer the data.
Some data processing may be carried out by our service providers, e.g. IT service providers that maintain our systems and data centers that host such systems. These third-party providers are then considered processors within the meaning of the GDPR.
For example, the sending of e-mail, fax and SMS is carried out by our service provider retarus GmbH. We have concluded DSGVO-compliant order processing contracts with these processors. The order processors have been carefully selected for this purpose, are contractually obligated to comply with data protection laws within the meaning of Art. 28 DSGVO and are subject to our instructions as well as our regular monitoring and may only use the personal data to fulfill their contractual tasks.
Furthermore, we may also exchange your personal data with health authorities, for which you have given your consent when using the app, in order to be able to comply, for example, with follow-up procedures in accordance with the Infection Protection Ordinance.
3.7 Storage period
The personal data, including the health data of the person using the app, will generally only be retained or stored for as long as is necessary to comply with legal obligations and to provide evidence in the event of liability issues.