Privacy policy: My Test Result

Privacy policy for the software “My Test Result” (Web/Android/iOS) – hereinafter: APP

Last date of saving the privacy policy: 29.03.2022

Publisher/provider and manufacturer of the software

itech Laborlösungen GmbH
Masenheimer Weg 5
33165 Lichtenau– hereinafter: ITECH

Data Protection Officer ITECH

Michael Bock, LL.M.
Daseco GmbH
Werkmeisterstr. 41
47877 Willich

You can reach our data protection officer via our customer service or, if confidential communication is desired, by mail.

Explanation

This APP is provided free of charge by ITECH to quickly and easily transmit test results, including COVID-19 test results, from medical laboratories, testing centers, or other examination sites to those tested. ITECH always acts on behalf of the person conducting the examination and is strictly bound by his instructions in handling the data. From the receipt of your examination order, the examination center is responsible for the processing of your data. When you submit your sample, a contractual relationship is established between you and the examination center, on the basis of which your data will be processed. The provision of your test result via our service is usually part of the commissioned performance or requires explicit consent on your part prior to sample submission. Therefore, ITECH is not a “third party” within the meaning of the GDPR. ITECH is not allowed to change contents of reports. Therefore, incorrectly recorded data can only be corrected by the examination center. In principle, no data is passed on to “third parties” without you as the user explicitly triggering this. ITECH explicitly points out that the APP does not have to be used on iOS or Android. It is just to save you from typing the QR-Code by using your smartphone’s camera as a scanner. All functions are realized by the web service and the APP works like a browser.

1. Basic function of the APP

The basic functionality of the APP and the associated Internet service does not require any personal data at all. It consists in showing you only the status or the result of your sample. Only globally unique codes and the associated results are stored. The APP captures these codes and returns the associated result.

2. Additional function of the APP

As an additional function, a personalized test result can be provided for you in the form of a PDF file, which you can use to prove your test status to third parties. This can be done either by submitting a PDF file generated by the examination center or by generating a PDF file according to the specifications of the examination center as soon as you request it in the APP. In both cases, the PDF file is only temporarily stored in the APP. The (PDF files with) personal data are exclusively encrypted and transferred to the Internet service via a secure line and stored there in encrypted form. The secrets used for encryption are agreed upon between the examination center and the respective tested persons and are not transmitted to the Internet service. User requests are only allowed via a secure connection. Within such a user session, users are then asked for the secrets. Only if these secrets allow successful decryption, the PDF will be provided to the user within the protected session of the APP.

2.1 Optional services

In order to provide further, optional functionalities of the APP, we use certain services. In detail, it is about the following functions and services:

2.1.1 Transmission to the Corona-Warn App

If your examination center supports this function, you can transmit your test result to your personal Corona-Warn App (hereinafter “CWA”) in order to prove it to third parties via CWA or to warn others, among other things. Transmission only takes place after explicit consent in the APP.In any case, only the test result and a pseudonymous code are transmitted to the servers of the Robert Koch Institute (hereinafter “RKI”). Transmission takes place via the official REST – interface of the RKI and was successfully accepted by T-Systems on 02.06.2021. As soon as the transfer to the RKI has taken place, you will be provided with a PDF with app link and QR-Code within the protected session of the web service, with which you can transfer your test result to your personal CWA. Here you have the choice between a pseudonymized or a personalized transmission. In the case of personalized submission, the QR-Code will contain your first and last name and date of birth.Details about CWA’s privacy policy can be found at https://www.coronawarn.app/de/#privacy.

2.1.2 Transfer to the luca app

If your examination center supports this function, you can transfer your test result to your personal luca app in order to prove this to third parties via luca app.A transfer only takes place after explicit consent in the APP.No data is transferred to servers of the luca app in this case. Instead, you will be provided with a PDF with app link and QR-Code within the protected session of the web service, which you can use to transfer your test result to your personal luca app. The content of the QR code is here specified. For the functionality of the luca integration, we do not need the personal content, which is encrypted separately. Instead, the QR-Code only contains a hash of the first and last name, which is matched with the data stored in your luca app during import. Please note that a transmission is only possible if the stored names match!Details about the data protection of the luca app can be found under https://www.luca-app.de/app-privacy-policy/.

2.1.3 Attestation

If your examination center supports this function, we offer you an extended copy protection of your test result with the possibility of external validation. This validates the data collected by your testing center, this may include: First Name, Last Name, Date of Birth, Date of Acceptance, Time of Acceptance, Gender, ID Number, Type of Test, Test Result, Order Number. The data is never stored unencrypted on the server for this purpose. When your certificate is accessed for the first time, a hash (SHA512) of the existing data is generated and stored on the server side. A back-calculation of the data from the hash is not possible. You will receive your certificate within the protected session of the APP in the form of a PDF file with QR-Code. This QR-Code contains the data in plain text and can be submitted to external persons for validation. When the QR-Code is scanned, the corresponding hash value is again formed from the data and validated against the server.

2.1.4 Push notifications (Android / iOS only)

When you scan a QR-Code in the APP, we ask if you want to receive push notifications about that sample. You can reject or allow them. The push notifications are only to inform you as soon as the status of your sample changes. This function is optional and will only be turned on with your permission. We use Google Firebase for this.Firebase generates a calculated key, which is composed of the identifier of the APP and its device identifier. If you enable push notifications for a test, the key is stored on the server side and linked to your test. You can remove this link at any time by removing the test from the APP. The Firebase servers cannot draw any conclusions about the requests of users or determine any other data related to an individual. Firebase serves only as an intermediary. Other Google Firebase services, in particular Google Firebase Analytics, are disabled. You can find more information on this and on the data protection of Google products hereand at Google.

2.1.5 Crash reports (Android / iOS only)

To continuously improve our APP, we use the services Microsoft Visual Studio App Center Analytics (up to version 1.3.5) and Microsoft Visual Studio App Center Crashes.App Center Analytics helps us understand how you use the APP so that we can improve it. This captures details such as number of sessions, device characteristics such as model, OS version, etc.App Center Crashes, on the other hand, automatically generates an anonymous bug report every time an error is detected in the APP.Since version 1.3.6, we completely abandon the use of App Center Analytics and give you full control over the bug reports generated by App Center Crashes: this way, you can decide whether or not to send us an anonymous bug report. For detailed information, please visit https://docs.microsoft.com/de-de/appcenter/sdk/data-collected#diagnostics.

3. Data stored on your device

The following data is temporarily stored on the device:

  • One or more globally unique identifier(s) (UUIDs)
  • A status code that represents the test result or the sample status

This data stored on the device is not personal data within the meaning of Art. 4 (1) GDPR, as a natural person is not identifiable from it. Only when providing a personalized PDF file as described above, personal data is temporarily stored for this very reason. The data collected is used exclusively for the functionality of the APP and is not passed on to third parties or used for advertising purposes or similar. The above-mentioned collected data will be deleted at the latest when the APP is removed from the device, but can also be deleted manually by the user. The data collection within the framework of the APP is carried out in compliance with the legal requirements in accordance with the General Data Protection Regulation (GDPR), the German Telemedia Act (TMG) and the Telecommunications and Telemedia Data Protection Act (TTDSG).The APP can only be used if the user has a receipt that was handed over to him/her when the sample was taken and on which the unique code is printed as a QR-Code.

4. Data we store when you contact us

When you contact us, you provide certain information about yourself, such as your email address or phone number. In some cases, it is necessary for us to ask you for further personal data, such as your name or date of birth, so that we can process your request. For this we use the ticket system “Zammad”. The data you provide will be recorded by us, provided that it is necessary for the processing of your request, and will only be stored in the documentation of your request. This data is retained only as long as required by retention and recordkeeping requirements. If it is necessary for the completion of your request, we will pass on your data to the examination center. We never pass on your data for advertising purposes or similar.

5. Deletion of the data

As a rule, all data for a QR-Code are deleted from the Internet service 21 days after the results are received and are then no longer available in the APP. However, the requirements for the deletion period of the examination center apply with priority, if this has made a different agreement with the tested persons.

6. Your data subject rights

In accordance with Chapter 3 of the General Data Protection Regulation (GDPR), you have the right to object to the provision of your test result via our service. If we are allowed to process your data on the basis of legitimate interests or in the legitimate public interest, you have the right to object to the processing of your data in certain cases. You always have this right if we should use your data for direct marketing purposes. In addition, you have the right to request information about the data collected by the examination center and, if necessary, a correction of incorrect personal data or, if the legal requirements are met, the correction, restriction or deletion of your data under the above contact details. Please note that information about or correction of your data can only be provided by the examination center and that we have to forward requests addressed to us accordingly. You have the right to contact our data protection officer at any time with complaints regarding data protection using the contact details above. Likewise, you can complain to the competent data protection supervisory authority. This can be found at https://www.bfdi.bund.de/DE/.