Eurofins LifeCodexx GmbH is committed to the responsible handling and security of personal data and all information entrusted to us. We, the Eurofins LifeCodexx GmbH, will process personal data only in accordance with applicable laws, specifically the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (FDPA).
The purpose of this Privacy Notice is to inform you about how we process your personal data
- in connection with ordering, sending in and analysing a COVID-19 Test | Sample collection kit for the detection of SARS-CoV 2 (section 3.),
- during your use of our websites at https://empowerdx.eu, https://kaap.empowerdx.de and myreturnportal.com as well as during your use of our Empower DX app (sections 3., 4., and 7.), and
- in connection with statutory reporting obligations (section 3.).
Moreover, this Privacy Notice provides information about the recipients of your information (section 5.), international data transfers (section 6.), the use of Google Analytics (section 7.), erasure of your personal data and retention periods (section 8.), measures to ensure data security (section 9.), your rights as a Data Subject (section 10.) and about automated decision-making (section 11.).
1. Data controller, Data Protection Officer
The data controller for the processing of your data is:
Eurofins LifeCodexx GmbH
The imprint and further contact details of the data controller can be found at https://lifecodexx.com/service/impressum/.
Our Data Protection Officer can be contacted at email@example.com.
2. Categories of personal data processed
We process the following categories of personal data:
- Data concerning health within the meaning of Art. 9(1) GDPR: The test result (specifically the determination of whether or not you are infected with coronavirus SARS-CoV-2), result date, sample, sample kit ID, result status, result lab code, type of sample material, sample date and detection method used and the combination of these data with your contact details as well as further data to handle delivery and processing by means of a barcode.
- Contact details: first and last name, gender, nationality, date of birth, address, telephone number (mobile), email address).
- Data required for technical purposes to provide our websites to you:
o Inquirer’s public IP address
o Inquiry time and date, including time zone
o Requested URL, including query parameters and request header
o Access status/HTTP status code
o Data volumes transmitted
o Referring website (known as “referrer URL”)
o Your browser type and version
o Your operating system and interface
o Language and version of your browser software.
- Data required for technical purposes to provide our app to you: (Our app is still under development. More information will follow as soon as it becomes available.)
- Access credentials: access name and password
- Payment data
- Other data required to handle delivery and processing: customer ID, order ID, registration ID, order quantity, event tracking data, communication language, tracking status of your parcel.
3. Purposes for which your personal data will be processed and bases for processing
Your personal data will be processed on the basis of Art. 6(1)(b) GDPR, i.e. for the performance of a contract with you for mail-order delivery of a COVID-19 Test | Sample collection kit for the detection of SARS-CoV 2, and in order to take steps preparatory to entering into such a contract. If you register on our website at https://empowerdx.eu to order a COVID-19 Test | Sample collection kit for the detection of SARS-CoV 2, the information we will process for this purpose includes, but is not limited to, your access credentials, first and last name, address, email address, telephone number (mobile) and payment data. In this context, we also process other personal data which are internally assigned to you to handle delivery and processing, e.g. your customer ID, order ID, registration ID, order quantity, communication language, tracking status of your parcel and event tracking data. In the course of the performance of the contract with you, we will also process personal data (first name, last name, address, date of birth and parcel tracking status and telephone number (mobile)) to enable you to track your order and to support you if you have any inquiries. For example, we (or a call centre and customer support service provider engaged by us) track the progress of shipments and proactively notify you by calling the telephone number (mobile) you provided or by email if shipments cannot be delivered or picked up (e.g., if the address was not provided correctly). Processing for these purposes may also be based on our legitimate interest in providing customer support services pursuant to Art. 6(1)(f) GDPR.
We will process data concerning your health within the meaning of Art. 9(1) GDPR on the basis of your consent (Art. 9(2)(a) GDPR) given during the ordering process or during registration on the website https://kaap.empowerdx.de or myreturnportal.com or in the app EmpowerDX for the purposes of analysing the sample you sent in and providing the test result to you, and to allow you to check the status of your test. This applies to the above data concerning your health, specifically to the analysis of your sample, your test result, result date, sample kit ID, result lab code, sample date, the detection method used and result status and the combination of these data with your contact details, and further data to handle delivery and processing, if you send in your sample and submit your contact details through our website at https://kaap.empowerdx.de, or myreturnportal.com or through the app.
There may also be other legal bases which justify the processing of your data, including, without limitation, the following:
- If processing is necessary for compliance with a legal obligation to which we are subject and no special categories of personal data (in particular data concerning your health) are processed, this will be done on the basis of Art. 6(1)(c) GDPR in conjunction with the applicable law, regulation or other legal requirement.
- If your contact data and data concerning your health are disclosed to the competent public health office, this will be done on the basis of Art. 9(2)(i) GDPR, Sec. 22 Para. 1 No. 1c FDPA in conjunction with Sec. 9 Para. 2 No. 1, Sec. 7 Para. 1 No. 44a, Sec. 8 Para. 1 No. 2 of the German Act on the Prevention and Control of Human Infectious Diseases (IfDA). These legal requirements require managers of private testing facilities which provide infectious disease diagnostics services to report all cases in which the coronavirus SARS-CoV-2 was directly or indirectly detected to the competent public health office, stating the name of the person tested, if the test indicates that the infection is acute. Therefore, processing of these data is necessary on the basis of EU Member State law for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
- Where processing of your personal data falls within the definition of legitimate interests pursued by us or a third party, we process your personal data on the basis of Art. 6(1)(f) GDPR, for example data required for technical purposes, to operate and provide our websites and our app to you and to ensure our websites and our app are safe.
The provision of your data is a requirement necessary to enter into the contract between us. Without the provision of your data we cannot process your order and cannot comply with our statutory reporting obligations.
When you visit our websites or our app, information in the form of cookies may be stored on your terminal. Cookies are small text files sent by a web server to your browser and stored on your terminal. They will be sent back to our webserver on each subsequent visit. Cookies allow us, for example, to recognise you the next time you access our websites or our app. Cookies can be classified into “first-party cookies” (these are cookies placed on your device by our website domain) and “third-party cookies” (cookies placed on your device by third-party website domains). There are generally 4 categories of cookies:
- Strictly Necessary Cookies. These cookies are essential to the functionality of our websites/our app (Category 1),
- Functionality Cookies (Category 2) and Performance Cookies (Category 3). These cookies are used to enhance your browsing experience and to improve how our websites/our app work, and
- Targeting and marketing Cookies (Category 4). These cookies may be used to analyse user behaviour on our websites/our app and to deliver advertising to you that is relevant to your interests.
For more detailed information about the cookies we use on our website https://empowerdx.eu, please refer to the “Merchant storefronts” section on the following website: https://www.shopify.com/legal/cookies and in the following tables:
Strictly Necessary Cookies
Functionality Cookies and Performance Cookies
Targeting and marketing Cookies
- Your order number
- Your email address and a Boolean value indicating whether the address has been confirmed
- Your telephone number and a Boolean value indicating whether the number has been validated
- The status of your COVID-19 | Sample collection kit
- A Boolean value indicating whether a travel certificate needs to be issued
- Your system-assigned user ID
- A Boolean value indicating whether the user has been authenticated based on a JWT token
5. Transfer of personal data to recipients
We will transfer personal data to third parties only to the extent necessary for the provision of our services or if required by law in this context.
For the purposes set out above, we will also transfer personal data to service providers and other third parties who work for us or otherwise assist us in providing our services to you. In addition to having a statutory obligation to comply with all applicable data protection requirements, these service providers are also bound, if applicable, by further contractual terms agreed with us regarding data protection. If the recipient concerned acts as data processor for us, this includes, in particular, the obligations of a data processor pursuant to Art. 28 GDPR. The categories of recipients to whom we will transfer personal data as aforesaid include, but are not limited to:
Providers of IT, hosting and infrastructure services for our websites and our app, including invoice creation, providers of cloud services (including shop solutions), specifically:
- Eurofins Genomics Europe Shared Services GmbH, Anzingerstr. 7a, D-85560 Ebersberg
- Eurofins Genomics Europe Applied Genomics GmbH, Anzingerstr. 7a, D-85560 Ebersberg
- FORSBERG+two, Tranegårdsvej 74, 2900 Hellerup, Denmark
Providers of laboratory services:
- Eurofins Genomics Europe Applied Genomics GmbH, Anzingerstr. 7a, D-85560 Ebersberg
Postal services providers, specifically:
- Eurofins Genomics Europe Applied Genomics GmbH, Anzingerstr. 7a, D-85560 Ebersberg
Payment services providers:
- Shopify International Limited, 2nd floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32
- PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
Electronic communications providers
- Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland
Providers of call centre and customer support services, specifically:
- Majorel Berlin, Wohlrabedamm 32, D-13629 Berlin
We will disclose your data to official authorities only within our legal obligations or to comply with an official order or court decision or on the basis of your consent and only to the extent permitted by applicable data protection laws, particularly in the following cases:
- To the competent public health office in line with our reporting obligation on the basis of Art. 9(2)(i) GDPR, Sec. 22 Para. 1 No. 1c BDSG in conjunction with Sec. 9 Para. 2 No. 1, Sec. 7 Para. 1 No. 44a, Sec. 8 Para. 1 No. 2 IfDA.
6. International data transfers
Countries outside the European Union (and the European Economic Area – EEA) treat the protection of personal data differently than countries in the European Union. We also use service providers located in third countries outside the European Union to process your data. As far as potential transfers of data to Canada in connection with our service provider Shopify are concerned, the European Commission has decided that the country offers an adequate level of data protection. More detailed information about the adequacy decision can be found here.
Therefore, where we transfer data to countries outside the EEA, specifically the US, that do not offer an adequate level of data protection, we have safeguards in place to ensure the safety of the processing of your data in third countries. For the protection of your data, we sign the standard contractual clauses created by the European Commission of the European Union with service providers located in third countries.
For more information about the safeguards we have in place, please contact us via firstname.lastname@example.org.
7. Use of Google Analytics
If you have given your consent in the cookie consent tool, the website https://empowerdx.eu uses Google Analytics, a web analytics service provided by Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
During your website visit the following data will be collected:
- the pages you call up, your "click behavior“
- achievement of "website goals"
- your user behavior (for example clicks, dwell time, bounce rates)
- your approximate location (region)
- your IP address (in abbreviated form)
- technical information about your browser and the end devices you use (e.g. language settings, screen resolution)
- your internet provider
- the referrer URL (via which website/advertising medium you came to this website)
On our behalf, Google will use this information to evaluate your pseudonymous use of our website and to compile reports on the activities. The reports provided by Google Analytics are used to analyse the performance of our website.
The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as a data processor. We have concluded an data processing agreement with Google for this purpose. Access by Google LLC, based in California, USA, and possibly US authorities to the data stored by Google cannot be ruled out.
A transfer of data to the USA or other countries that do not offer a comparable level of data protection as in the European Union cannot be ruled out in this context. For this purpose, we have concluded standard contractual clauses with Google provided by the EU Commission.
The data sent by us and linked to cookies is automatically deleted after 14 months. Data is automatically deleted once a month as soon as the storage period is reached.
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by
• not giving your consent to the setting of the cookie or
• for website-based use, downloading and installing the browser add-on to disable Google Analytics HERE.
You can also prevent the storage of cookies when using our website by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may limit functionality on this and other websites.
The legal basis for this data processing is your consent, Art. 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future by calling up the cookie settings in the cookie consent tool and changing your selection there.
It cannot be ruled out that Google uses the data described in this section for its own purposes and links it to other data such as possibly existing Google accounts.
We will erase your personal data according to standard procedures we have in place when your data are no longer necessary in relation to the purposes of processing stated above or, in the event that you have objected to their processing, if there is no compelling legitimate interest to the contrary or, in the event that you have withdrawn your consent, if there is no other legal basis for their processing. In certain cases, e.g. if statutory retention periods apply (e.g. 6 years pursuant to Sec. 257 Para. 1 of the German Commercial Code and 10 years pursuant to Sec. 147 Para. 1 of the German Tax with respect to commercial and business correspondence, invoices, quotes etc.), your personal data will be first blocked and then erased following the expiration of the retention period.
9. Data security
Eurofins LifeCodexx GmbH has implemented technical and organisational safeguards to protect the personal data you provided against loss, destruction, falsification and unauthorised access. Our staff and all others involved in their processing are required to abide by all relevant legislation pertaining to data protection and to maintain confidentiality in handling personal data. We use a secure transmission protocol known as Secure Socket Layer (SSL) to keep the personal data of our users secure. You can tell that SSL is in use when the address in your browser’s address bar changes from http:// to https:// or a green closed padlock icon appears on your browser status bar. By clicking the padlock icon you can view information about the SSL certificate being used. The look and location of the padlock icon may vary depending on the browser you use. SSL encryption ensures that the transmission of your data is secure and complete.
10. Your rights
As the Data Subject, i.e. as the natural person whose personal data are processed, you have the right to obtain confirmation as to whether or not personal data concerning you are being processed by us and, where that is the case, access to the data we hold about you and the right to obtain a copy of the personal data undergoing processing (Art. 15 GDPR). If inaccurate personal data are being processed, you have a right to rectification (Art. 16 GDPR). If the statutory conditions for this are met, you have the right to request erasure or restriction of processing of your data (Art. 17 und 18 GDPR).
If the processing is based on your consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, you have the right to withdraw your consent with effect for the future at any time (Art. 7(3) GDPR). Please note that if you withdraw your consent with effect for the future, this does not affect any processing carried out on the basis of that consent prior to its withdrawal.
If the processing is based on your consent or your data are processed for the performance of the contract with you and the processing is carried out by automated means, you have the right to data portability of the data you provided to us (Art. 20 GDPR).
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based only on point (e) or (f) of Art. 6(1) GDPR (Art. 21(1) GDPR). Where your personal data are processed for direct marketing purposes on the basis of Art. 6(1)(f) GDPR, you have the right to object at any time to such processing (Art. 21(2) GDPR) without having to demonstrate grounds relating to your particular situation.
Moreover, you have the right to lodge a complaint with the competent supervisory authority:
Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
[State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg]
Königstrasse 10a, 70173 Stuttgart, Germany.
If you have any queries or complaints on the subject of data protection, please do not hesitate to contact our Data Protection Officer, using the contact details provided in section 1.
11. No automated individual decision-making
We will not use your personal data for automated individual decision making within the meaning of Art. 22(1) GDPR.
12. Changes to this Privacy Notice
We will continually review and update this Privacy Notice to accommodate any changes in the law, business decisions or technical progress. The current version will always be available on our websites and in our app.