Have this reviewed by a lawyer before publication (specialist for IT/data-protection law). Because genetic and health data is processed (Art. 9 GDPR, GenDG), special care is required.
The German version is authoritative.
Privacy policy
This policy informs you, in accordance with the General Data Protection Regulation (GDPR), how we process personal data when you use longcovid.expert.
Controller
The controller within the meaning of the GDPR is:
Innovation & Kooperation Scheiber GmbH, Ahornweg 4, 95643 Tirschenreuth, Germany.
Managing director/contact: [… to be added].
Overview & principle
Protecting your data matters to us. Our principle is: your data belongs to you.
We process personal data only as far as necessary for a functioning service and our offerings, and always in line with the GDPR and the supplementary national rules.
What data we process
Depending on your use, we process the following categories of personal data:
- Account data: e-mail address and name (to create and manage your account).
- Order and process data: your order and your progress in the physician-guided process (initial consultation/teleconsultation, saliva kit, laboratory analysis, medical release, report).
- Genetic and health data (special categories, Art. 9 GDPR): your saliva sample, the genetic analysis and the orientation report derived from it. We process these solely on the basis of your explicit consent (Art. 9 (2) (a) GDPR) and within a physician's order under the German Genetic Diagnostics Act (GenDG); the test is intended for persons aged 18 and over.
- Newsletter: e-mail address if you subscribe to the newsletter – via the double opt-in procedure.
- Server log files: technical access data such as IP address, date/time, page requested and browser type.
- Technically necessary cookies: a session cookie and a brand cookie for correct display – the service does not work without them.
Legal bases
Depending on the purpose, we base the processing on the following legal grounds:
- Art. 6 (1) (b) GDPR – performance of the contract or pre-contractual measures (account, order, provision of services).
- Art. 6 (1) (a) GDPR – on the basis of your consent (e.g. newsletter).
- Art. 6 (1) (f) GDPR – to safeguard our legitimate interests (e.g. technical operation and security).
- Art. 9 (2) (a) GDPR – explicit consent for the processing of genetic and health data; the genetic test is physician-ordered under the Genetic Diagnostics Act (GenDG).
Recipients / processors
To provide our services we use carefully selected service providers:
- Sequencing: CeGaT GmbH, Tübingen – accredited specialist laboratory in Germany (performing the sequencing).
- Analysis: PrecisionLife (combinatorial genetic analysis). The analysis runs on servers in Germany. [responsibility/location to be confirmed and stated clearly here]
- Medical supervision: the treating physician (teleconsultation, medical order and release under GenDG). [name/institution to be added]
- Payment service provider: Stripe (payment processing).
- E-mail dispatch: via our own mail server (mail.sepp.team).
- Hosting/infrastructure: [… to be added].
Where required, data processing agreements pursuant to Art. 28 GDPR are in place with these providers.
Transfer to third countries
Processing of your genetic and health data takes place in Germany; your data does not leave Germany.
With individual supporting providers (e.g. Stripe), a transfer to the USA may occur; where necessary, we base this on the European Commission's standard contractual clauses. [to be checked/added]
If an analysis provider were to process data outside the EU/EEA, we add the safeguards under Art. 44 et seq. GDPR here. [to be checked]
Storage period
We store personal data only for as long as necessary for the respective purposes, or for as long as statutory retention periods (in particular under commercial and tax law as well as the GenDG) require. The data is then deleted or restricted.
Your rights
Under the GDPR you have in particular the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing (Art. 21 GDPR)
- Withdrawal of a given consent with effect for the future (Art. 7 (3) GDPR)
Right to lodge a complaint with the supervisory authority
Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Ansbach (Bavarian State Office for Data Protection Supervision).
Data security & automated decisions
We use SSL/TLS encryption to protect the transmission of your data.
No automated decision-making, including profiling, with legal effect concerning you takes place; the report does not replace a medical diagnosis.