Privacy policy “LaboTrack”
We undertake to comply with the statutory provisions on data protection and endeavour to always take into account the principles of data avoidance and data minimisation.
-
Name and address of the person responsible and of the data protection officer
a). The responsible person
The responsible person within the meaning of the General Data Protection Regulation and other national data protection laws of the member states of the European Union as well as other data protection regulations is:
LABOKLIN GmbH & Co KG
Steubenstr. 4
97688 Bad Kissingen
Email: info[at]laboklin.com
Tel.: 0971/ 72020
b). The Data Protection Officer
The data protection officer of the data controller is:
SiDIT GmbH
Langgasse 20
97261 Güntersleben
Email: info@sidit.de
2. Definitions of terms
We have designed our privacy policy according to the principles of clarity and transparency. However, if there are any ambiguities regarding the use of various terms, the corresponding definitions can be found here [https://dsgvo-gesetz.de/art-4-dsgvo/].
3, Legal basis for the processing of personal data
a) Processing of personal data under the GDPR
We only process your personal data, such as your surname and first name, your e-mail address and IP address, etc., if there is a legal basis for doing so. According to the General Data Protection Regulation, the following regulations in particular come into consideration:
-
Art. 6 para. 1 sentence 1 lit. a DSGVO: The data subject has given his/her consent to the processing of personal data concerning him/her for one or more specific purposes.
-
Art. 6 para. 1 sentence 1 lit. b DSGVO: The processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject.
-
Art. 6 para. 1 p. 1 lit. c DSGVO: Processing is necessary for compliance with a legal obligation to which the controller is subject.
-
Art. 6 para. 1 sentence 1 lit. d DSGVO: Processing is necessary to protect the vital interests of the data subject or another natural person.
-
Art. 6 (1) p. 1 lit. e DSGVO: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
-
Art. 6 para. 1 sentence 1 lit. f DSGVO: processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child
However, at the relevant points in this data protection declaration, we will always point out once again the legal basis on which your personal data is processed.
b) Consent of the legal guardian according to Art. 8 Para. 1 Sentence 2 Alt.2 DSGVO
A parent or guardian must consent to all data processing within the scope of this app for which the consent of a minor who has not yet reached the age of 16 is required.
Information on the individual data processing operations, their purposes and the categories of data concerned, for which the consent of the data subject is required, can be found in the data protection declaration.
You can revoke your consent at any time by sending the revocation in text form to the contact details of the controller. The processing remains lawful until the revocation.
c) Processing of information pursuant to 25 para.1 TTDSG
We also process information pursuant to Section 25 (1) of the TTDSG by storing information on your terminal equipment or accessing information that is already stored on your terminal equipment. This can be both personal information and non-personal data, e.g. cookies, browser fingerprints, advertising IDs, MAC addresses and IMEI numbers. Terminal equipment is any equipment connected directly or indirectly to the interface of a public telecommunications network for the transmission, processing or reception of messages, § 2 para. 2 no. 6 TTDSG.
As a rule, we process this information on the basis of your consent, § 25 para.1 TTDSG.
As far as an exception according to § 25 para.2 No.1 and No.2 TTDSG is given, we do not need consent. Such an exception is given if we only access or store the information in order to transmit a message via a public telecommunications network or if this is absolutely necessary so that we can provide a telemedia service that you have expressly requested. You can revoke your consent at any time.
We inform you that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation
4. Disclosure of personal data
The transfer of personal data is also processing within the meaning of the previous point 3. However, we would like to inform you again here separately about the subject of transfer to third parties. The protection of your personal data is very important to us. For this reason, we are particularly careful when it comes to passing on your data to third parties.
Therefore, data is only passed on to third parties if there is a legal basis for the processing. For example, we disclose personal data to persons or companies that act for us as processors in accordance with Art. 28 DSGVO. A processor is anyone who processes personal data on our behalf, i.e. in particular in an instruction and control relationship with us.
In accordance with the requirements of the GDPR, we conclude a contract with each of our order processors to oblige them to comply with data protection regulations and thus provide your data with comprehensive protection.
5. Storage period and deletion
Your personal data will be deleted by us if it is no longer necessary for the purposes for which it was collected or otherwise processed, the processing is not necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.
6. SSL encryption [1]
Our app uses SSL encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as the app operator.
If SSL encryption is activated, the data you transmit to us cannot be read by third parties.
7. Collection and storage of personal data as well as their type and purpose of use
a) Download the app
When downloading the mobile app, the required information is transferred to the App Store or Play Store, i.e. in particular user name, email address and customer number of your account, time of download, payment information and the individual device identification number. We have no influence on this data collection and are not responsible for it. We process the data only insofar as it is necessary for downloading the mobile app to your mobile device.
b) Use of the app
When you use the mobile app, we collect the personal data described below to enable you to use the functions conveniently. If you wish to use our mobile app, we collect the following data that is technically necessary for us to offer you the functions of our mobile app and to ensure stability and security:
-
IP address
-
Date and time of the request
-
Time zone difference from Greenwich Mean Time (GMT)
-
Content of the request (concrete page)
-
Access Status/HTTP Status Code
-
Data volume transferred in each case
-
Website from which the request comes
-
Operating system and its interface
-
The device identification, unique number of the terminal (IMEI = International Mobile Equipment Iden).
-
The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest follows from the purposes for data collection listed above. In no case do we use the collected data for the purpose of drawing conclusions about your person.
c) Collection of site data / scanning of samples and sample bags
When using the app, you can scan QR codes at various locations (pick-up location, intermediate depot, destination). When you scan samples or sample bags, your name, device ID together with a timestamp and the GPS coordinates of the pick-up or drop-off location are linked to the QR code of the respective sample or sample bag.
The app can determine your location via GPS if you have agreed to this release in the settings of your operating system when installing the app.
The only provision for using the app is that your location is determined and stored during scanning actions.
As part of using the app, you can scan QR codes at various locations. Once you link a location QR code to a sample QR code, your GPS location is processed and linked to the scanned data and your personal data as a courier.
The tracking data can only be viewed by us and the stakeholders involved for whom the commissioning company has given us clearance.
You can deactivate and reactivate the release in the operating system at any time afterwards. However, deactivating the function prevents the goals of the app from being achieved. The processing of the location data and your other personal data is therefore based on our legitimate interest pursuant to Art. 6 (1) f) DSGVO.
Tracking data will be kept for a maximum of 3 months after completion of the order and will be completely deleted thereafter.
d) Registration
As part of the registration process, we collect and process your first and last name, DeviceID and your courier service token for unique assignment.
We collect this data for legitimate interests for further identification and for the provision of our services pursuant to Art. 6 para. 1 p. 1 lit. b) and f) DSGVO.
This data is stored by us in the backend.
e) Feedback form
We provide you with a form in our app so that you have the opportunity to send feedback to us at any time. When you use the form, your device name, the operating system you are using, the date and time you sent it will be transmitted to us so that we know who the request is from and can process it.
If you send us enquiries via a form, the information you provide in the enquiry form, including the contact details you provide there, as well as your IP address, will be processed in accordance with Art. 6 (1) sentence 1 lit. and f DSGVO for the purpose of exercising our legitimate interest, namely to carry out our business activities and to improve our app.
The enquiries as well as the accompanying data will be deleted 3 months after receipt at the latest, unless they are required for a further contractual relationship.
f) Camera release for scan
“Camera release for scan: so that the QR code or barcode scans can be carried out._”
g) Screenshot for feedback function
“Screenshot for the feedback function: (only in beta phase) in the test phase, a screenshot is taken of the bottom page of the app on which the user wants to give feedback.”
h) User database (surname, first name, courier service)
“User database: To allow couriers to register and log in and to allow mapping to routes.”
possibly for registration, that data is stored in database and only responsible person has access to it.
i) Veterinary practice database (name, address, collection point., opening hours, sample bag, samples, etc.)
“Veterinary practice database: Needed so that the collected samples can be assigned to veterinarians. Later on, it is also planned to provide the couriers with further functions related to veterinarians (e.g. storage location for samples). Is this a date with a personal reference? The veterinarian is a legal person here.
j) Samples, sample bags (ID, timestamps, driver, courier, position)
“Samples, sample bags: The transported goods… Laboklin must know which samples are transported. (Is not actually a date with personal reference, is it?)”
8. Google firebase Crashlytics
In our app, the technology of Google Firebase (Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland, “Google”) is integrated with various functionalities.
Firebase Analytics enables the analysis of the use of our offer. In this way, completely anonymised information about the use of our app is collected and transmitted to Google, where it is stored. Google uses the advertising ID of the end device for this purpose. Google will use the aforementioned information to evaluate the use of our app and to provide other app usage-related services to our app support service provider.
You can restrict the use of the advertising ID in the device settings (iOS: Privacy/ Advertising/ No Ad Tracking; Android: Account/ Google/ Ads).
Crashlytics
Our app uses the “crashlytics” analytics programme from Google via Google Firebase (Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland).
This analysis programme uses IP addresses of the users for analysis purposes, which are, however, only used anonymously. It is not possible to draw conclusions about a specific person. Crashlytics provides us with real-time evaluations of system crashes and thus facilitates the maintenance of the apps. You can find more information here:
https://firebase.google.com/support/privacy?hl=de#examples-end-user-data-processed-by-firebase
Your consent pursuant to Art. 6 para. 1 p. 1 lit. a) DSGVO constitutes the processing basis for the use of Google Firebase as well as Crashlytics.
You can revoke your consent at any time by changing the tracking settings. The processing of your personal data remains lawful until the time of your revocation.
9. Rights of the data subject
You have the following rights:
a) Information
In accordance with Article 15 of the GDPR, you have the right to request information about your personal data processed by us. This right to information includes information about
-
the processing purposes
-
the categories of personal data
-
the recipients or categories of recipients to whom your data have been or will be disclosed
-
the planned storage period or at least the criteria for determining the storage period
-
the existence of a right to rectification, erasure, restriction of processing or objection
-
the existence of a right of appeal to a supervisory authority
-
the origin of your personal data, if it has not been collected by us.
-
the existence of automated decision-making, including profiling, and meaningful information about its details
b) Correction
In accordance with Art. 16 DSGVO, you have the right to have incorrect or incomplete personal data stored by us corrected without delay.
c) Deletion
In accordance with Art. 17 DSGVO, you have the right to request the immediate deletion of your personal data from us, insofar as the further processing is not necessary for one of the following reasons:
-
the personal data are still necessary for the purposes for which they were collected or otherwise processed
-
on the exercise of the right to freedom of expression and information
-
for compliance with a legal obligation which requires processing under the law of the European Union or the Member States to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
-
for reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) DSGVO
-
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing
-
for the assertion, exercise or defence of legal claims
(d) Restriction of processing
In accordance with Art. 18 of the GDPR, you may request the restriction of the processing of your personal data for one of the following reasons:
-
You dispute the accuracy of your personal data.
-
The processing is unlawful and you object to the erasure of the personal data.
-
We no longer need the personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims.
-
You object to the processing pursuant to Art. 21 (1) DSGVO.
e) Information
If you have requested the rectification or erasure of your personal data or a restriction of processing pursuant to Art. 16, Art. 17 (1) and Art. 18 DSGVO, we will notify all recipients to whom your personal data has been disclosed, unless this proves impossible or involves a disproportionate effort. You may request that we inform you of these recipients.
f) Transmission
You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format.
You also have the right to request that this data be transferred to a third party if the processing was carried out with the aid of automated procedures and is based on consent pursuant to Art. 6 (1) sentence 1 lit. a or Art. 9 (2) lit. a or on a contract pursuant to Art. 6 (1) sentence 1 lit. b DSGVO.
g) Revocation
In accordance with Art. 7 (3) DSGVO, you have the right to revoke your consent at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. In the future, we may no longer continue the data processing that was based on your revoked consent.
h) Complaint
In accordance with Art. 77 of the GDPR, you have the right to complain to a supervisory authority if you believe that the processing of your personal data violates the GDPR.
(i) Contradiction
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f DSGVO, you have the right to object to the processing of your personal data pursuant to Art. 21 DSGVO, insofar as there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right of objection, which will be implemented by us without specifying the particular situation. If you would like to make use of your right of revocation or objection, it is sufficient to send an e-mail to info@laboklin.com.
j) Automated decision in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
-
is necessary for the conclusion or performance of a contract between you and us
-
is permitted by legislation of the European Union or the Member States to which we are subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests
-
is done with your express consent
However, these decisions must not be based on special categories of personal data pursuant to Art. 9(1) of the GDPR, unless Art. 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.
With regard to the cases referred to in i) and iii), we shall take reasonable measures to safeguard the rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person from our side, to express your point of view and to contest the decision.
10. Amendment of the privacy policy
If we change the privacy policy, this will be indicated in the app.
Status: 24.07.2023
[1] With the DSGVO, SSL encryption is mandatory for all websites that provide a contact or order form or a newsletter order. However, we generally recommend SSL encryption for all websites because, in our opinion, this corresponds to the state of the art. This also applies to apps.