Privacy policy website www.lacova.org

I.     Introduction and terms 

​

1 GENERAL

By operating our website with the URL www.lacova.org (hereinafter referred to as “website”) we process personal data. We treat these confidentially and process them in accordance with applicable laws - in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). With this privacy policy we want to inform you about what personal data we collect from you, for what purposes and on what legal basis we use it and, if necessary, to whom we disclose it. In addition, we will explain to you what rights you have to protect and enforce your data protection.

 

2. TERMS

Our data protection regulations contain technical terms that are found in the GDPR and the BDSG. For your better understanding, we would like to explain these terms in simple words:

2.1 Personal data
“Personal data” is all information that relates to an identified or identifiable person (Art. 4 No. 1 GDPR). Information about an identified person can e.g. B. the name or the email address. However, personal data also includes data where the identity is not immediately obvious, but can be determined by combining your own or third-party information and thus finding out who it is. For example, a person will B. can be identified by providing your address or bank details, your date of birth or user name, your IP addresses and/or location data. All information that allows a conclusion to be drawn about a person in any way is relevant here.

2.2 Processing
Art. 4 No. 2 GDPR refers to “processing” as any process in connection with personal data. This applies in particular to collecting, recording, organizing, arranging, storing, adapting or changing, reading out, querying, using, disclosing, transmitting, distributing or any other form of provision, comparing or linking , the restriction, deletion or destruction of personal data.

2.3 Health data
The term “health data” is defined in Article 4 No. 15 GDPR as personal data that relate to the physical or mental health of a person, including the provision of health services, and from which information about the state of health of that person emerges.

II.   Responsible person and data protection officer 

 

3. RESPONSIBLE

Responsible for data processing is:

Company: La Cova UG (“we”)
Legal representative: Benedikt Pliquett (Managing Director)
Address: Reeperbahn 152, 20359 Hamburg
Telephone: 015237755593
Email: dance@lacova.org

 

4. DATA PROTECTION OFFICER

 

We have appointed an external data protection officer for our company. You can reach him at:

 

Name:                                   Arne Platzbecker

Address:                               HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg

Telephone:                                 040/ 46008966

Fax:                                         040/ 46008977

Email:                                   datenschutz@habewi.de

 

III.  Processing framework

 

5. PROCESSING FRAMEWORK: WEBSITE

As part of the website, we process your personal data listed in detail below in Section IV. We only process data from you that you actively provide on the website (e.g. by filling out forms) or that you automatically provide when using our offer.

Your data will be processed exclusively by us and will not be sold, loaned or passed on to third parties. If we use the help of external service providers to process your personal data, this takes place within the framework of so-called order processing, in which we as the client are authorized to give instructions to our contractors. To operate our website, we use an external service provider to create it using a homepage builder and to host it.

ALL-INKL.COM - Neue Medien Münnich (address: Hauptstraße 68 | D-02742 Friedersdorf). If other external service providers are used for some of the processing operations listed in Section IV, they will be named there.

Apart from the use of Wix, we generally do not and do not plan to transfer data to third countries. We will inform you about exceptions to this principle in the processing operations described below. Any data transfer to third countries will then take place on the basis of the so-called EU standard contractual clauses. 

IV.  Processing in detail 

 

6. RESERVE AN APPOINTMENT FOR FREE ANTIGEN TEST

6.1 Description of processing
You can reserve appointments for free antigen tests on our website. As part of your reservation, we process your personal data. You must fill out the mandatory fields marked with an asterisk “*” on our reservation form. This includes your last name, first name, email address, telephone number, address and date of birth. Otherwise it will not be possible for us to reserve an appointment for you. All other information is voluntary. 

6.2 Purpose
The processing is carried out for the free booking and reservation of antigen tests.

6.3 Legal basis
The processing is necessary to initiate, conclude and fulfill the contracts for free antigen tests (Art. 6 Para. 1 lit. b GDPR). 

6.4 Storage period
Due to commercial and tax law requirements, we are obliged to store your address, payment and order data for a period of ten years. However, we restrict processing after two years. This means that your data will then only be stored separately to comply with the statutory retention periods and will be deleted immediately after these have expired.

 

7. PURCHASE OF PAID TESTS

7.1 Description of processing
In order to take advantage of a PCR test, an antibody test or a paid Corona antigen test at our test station, you must make a paid booking in advance. It is possible to book an appointment for a fee via our website. As part of your ordering process, we process your personal data. The mandatory fields marked with an asterisk “*” in our booking form must be filled in by you. 

Choose one of the available dates shown; then click on the “CONTINUE” button. In the next step, you will be asked to provide further information about yourself and the other people to be tested. This includes your last name, first name, email address, telephone number, address and date of birth. On the one hand, your data is necessary in order to be able to record you as a contractual partner. In addition, recording the master data of all people to be tested when booking an appointment allows us to carry out the test at our test station in a time-saving manner, as you do not have to provide your master data (again) on site. You can pay for the booking made on our website using the payment methods offered (credit card, PayPal). When you place an order requiring payment, your master data will be transmitted to us and the data required for payment will be transmitted to the payment service provider.

7.2 Purpose
The data processing takes place for the proper conclusion, fulfillment and processing of the contract. In addition, we need the data for correspondence with you, for billing our services, for processing any liability claims that may exist and for asserting any claims against you. 

7.3 Legal basis
The processing of the personal data of the person to be tested listed in Section 7.1 is necessary for the conclusion and execution of the contract in accordance with Article 6 Paragraph 1 Sentence 1 Letter b GDPR. Without the data mentioned in Section 7.1, it is not possible for us to conclude the contract or fulfill our obligations under the contract.

7.4 Storage period
We will delete the data as soon as it is no longer needed to achieve the purpose for which it was collected. The personal data collected and processed by us as part of the contractual relationship will be stored until the end of the standard limitation period (3 years after the end of the calendar year in which the contract was terminated) and then deleted, unless we do so in accordance with Article 6 Paragraph 1 S. 1 lit. c GDPR are obliged to store data for a longer period of time due to retention and documentation obligations (especially from HGB or AO). We store your contract data and the associated documents for 10 years (Section 147 Paragraph 3 AO), other commercial and business letters for 6 years (Section 257 Paragraph 4 HGB).

7.5 Recipients
To process your payment, personal data will be passed on to one of the payment service providers listed below and selected by you as part of your purchase:

• PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal reserves the right to transmit personal data to credit reporting agencies for identity and creditworthiness checks. Further information about data protection at PayPal can be found at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE

 

8. PROCESSING THE TEST, LABORATORY RESULTS, REPORTING OBLIGATION

8.1 Description of processing

A sample will be taken from you on site. For antibody and antigen tests, the sample is evaluated on site at the test station. When you book a PCS test, your sample will be examined for the SARS-CoV-2 virus by an external laboratory. You will usually receive the test or laboratory results from us via SMS to the telephone number you provided. In the event of a positive laboratory result from a PCS test, the laboratory is legally obliged to report the findings, including your master data, to the responsible health authority for reasons of infection protection.

8.2 Purpose

The data is processed in order to be able to provide you with the laboratory results quickly and conveniently. If the result is positive, data processing is also carried out to fulfill legal reporting obligations and to protect the population from infection.

8.3 Legal basis and revocation of consent

The communication of the test or laboratory results by email has its legal basis in consent in accordance with Art. 6 Para. 1 lit. a GDPR, Art. 9 Para. 2 lit. a GDPR. Consent is voluntary and can be revoked at any time with future effect by simply sending us a statement (for contact details see section 3). 

The transfer of data to the health department in the event of a positive result is based on a public interest in the area of public health (Art. 9 Para. 2 lit. i GDPR) and specifically to protect citizens from health risks. The laboratory's reporting obligation is based on Art. 9 Para. 2 in accordance with Section 7 Para. 1 No. 44a, 8 Para. 2 No. 2 IfSG.

8.4 Storage period

We will store the examination or laboratory results for a period of 30 days and then delete them. The laboratory must store the samples for a period of one day and the associated laboratory results for a period of 10 years. These documents are then destroyed by the laboratory or the corresponding data is deleted.

8.5 Recipients

In the event of a positive laboratory result, we or the laboratory will transmit the result, including your master data, to the responsible health authority.

 

9. COOKIES

9.1 Description of processing
Our website uses cookies. Cookies are small text files that are stored on the user's device when they visit a website. Cookies contain information that enables the recognition of a device and, if necessary, certain functions of a website. We differentiate between our own cookies and external, so-called third-party cookies. Our site uses so-called “session cookies” and “persistent cookies”. “Session cookies” are automatically deleted when you end your internet session and close the browser. Persistent cookies remain stored on your device for a longer period of time. We only use cookies that are technically necessary for the operation of our site. No consent is required for these cookies. 

You can find out which cookies are used on our website for what purpose, how long they are stored on your device and what consent you may have already given in the settings of the cookie banner.

9.2 Purpose
We use cookies to make our website more user-friendly and to offer the functions described in section 7.1.

9.3 Legal basis
The processing is necessary to protect the overriding legitimate interests of the person responsible (Article 6 (1) (f) GDPR). Our legitimate interest lies in the purpose stated in Section 9.2.

9.4 Storage period
Cookies are automatically deleted at the end of a session or when the specified storage period has expired. Since cookies are stored on your device, you as a user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted. This can also be done automatically. If cookies for our website are deactivated, deleted or restricted, it may be that individual functions of our website cannot be used or can only be used to a limited extent.

9.5 Recipients
When using third-party cookies, data may be transmitted to the relevant providers of these third-party services. Under certain circumstances, data may also be transferred to third countries outside the European Union or the European Economic Area. We provide information about the recipients of data and third-country transfers in the relevant passage on the third-party service in these data protection regulations. 

 

10. CONTACT FORM AND CONTACT BY EMAIL

10.1 Description of processing
To get in touch, we have provided a contact form on our website. In this form you will be asked to enter your email address, your name and a message for us. If you press the “Send” button, the data will be transmitted to us using SSL encryption (see section 11). The contact form can only be submitted if you accept our data protection regulations by clicking on the relevant checkbox. You can also contact us using the email addresses provided on the website. In this case, the personal data transmitted by email will be processed by us.

10.2 Purpose
By providing a contact form on our website, we want to offer you a convenient way to get in touch with us. The data transmitted with and in the contact form or your email will be used exclusively for the purpose of processing and answering your request.

10.3 Legal basis
The processing is necessary to protect the overriding legitimate interests of the person responsible (Article 6 (1) (f) GDPR). Our legitimate interest lies in the purpose stated in Section 8.2. If the email contact is aimed at concluding or fulfilling a contract, the data is processed to fulfill the contract (Art. 6 Para. 1 lit. b GDPR).

10.4 Storage period
We will delete the data as soon as it is no longer required to achieve the purpose for which it was collected. This usually occurs when communication with you has ended. Communication ends when the circumstances indicate that your concern has been finally clarified. If statutory retention periods prevent deletion, deletion will take place immediately after the statutory retention period has expired.

 

11. SOCIAL NETWORKS

11.1 Description of processing
Our website does not use so-called social media plugins. The Instagram logo displayed on our website is only linked to our company's corresponding profile on the social network. There is no data transmission to social networks when the logo is integrated. If you click on the Instagram logo, you will simply be redirected to the social network's external website.

However, data processing represents our profile within the social network Instagram. If you are logged in to Instagram when you visit such a profile, this information will be assigned to your user account there. If you interact with our profile, e.g. commenting or “liking” a post, this information is also stored in your user account. We can usually also see your interactions with our profile.

On the social network Instagram we have the opportunity to receive statistical data about the use of our Instagram profile via the so-called “Insights” function. These statistics are provided by Instagram. The “Insights function” is not essential. We cannot decide to turn this feature on or off. It is available to all Instagram business account operators, regardless of whether you use the Insights feature or not. Instagram Insights provides us with anonymous data about the development and reach of our Instagram profile, as well as the posts, stories and videos we post there. In the Instagram Insights we also receive statistical information about the place of origin, gender and age of the subscribers to our Instagram profile.

The social networks with which you communicate store your data using pseudonyms as usage profiles and use them for advertising purposes and market research. For example, you may be shown advertisements within the social network and on other third-party websites that match your presumed interests. For this purpose, cookies are usually used, which the social network stores on your device. You have the right to object to the creation of these user profiles, which you must contact the social networks directly to exercise.

11.2 Purpose
We maintain a profile on the aforementioned social network Instagram for the purpose of public relations and corporate communication with customers and interested parties. We use Instagram's “Insights” function to evaluate the reach of our posts on the social network and to make them more appealing to our visitors in the future.

11.3 Legal basis
The legal basis for data processing within the scope of our profiles on social networks is the protection of our overriding legitimate interests (Art. 6 Para. 1 lit. f GDPR). Our legitimate interest lies in the purpose stated in Section 9.2. If you are asked for your consent by the respective operator of a social network, the legal basis is Article 6 Paragraph 1 Letter a GDPR.  The data processing takes place with regard to  and our Instagram page on the basis of joint responsibility in accordance with Art. 26 GDPR. 

11.4 Recipients and transmission to third countries
The respective social networks are operated by the companies listed below. Further information on data protection with regard to our profile on social networks can be found in the linked data protection regulations.

• Instagram: Instagram LLC, 1601 Willow Rd, Menlo Park, California 94025, USA; Privacy Policy: https://help.instagram.com/155833707900388/.

The social networks also process your personal data in the USA.

 

12. GOOGLE MAPS

12.1 Description of processing
Our website uses “Google Maps”, a service for displaying maps from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). We use Google Maps by including a map with our business address on our website. The map is loaded directly from a Google server. In order for this to happen, your browser sends a request to a Google server. This means that we may also transmit your IP address to Google in conjunction with the address of our website. However, Google Maps does not store cookies on your device. If you are logged in to Google when you visit our site, Google Maps assigns this information to your Google user account. Google saves your data as usage profiles and uses them for advertising purposes, market research and/or to tailor Google websites to your needs. You have the right to object to the creation of these user profiles, which you must contact Google directly to exercise. Further information about data protection at Google can be found at https://policies.google.com/privacy?hl=de-DE.https://policies.google.com/privacy?hl=de-DE.

12.2 Purpose
The processing takes place in order to be able to show you an interactive map on our website.

12.3 Legal basis
The processing is necessary to protect the overriding legitimate interests of the person responsible (Article 6 (1) (f) GDPR). Our legitimate interest lies in the purpose stated in section.

12.4 Recipients and transmission to third countries
Google also processes your personal data in the USA.

 

13. GOOGLE TAG MANAGER

Our website uses the “Google Tag Manager”, a service provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”). No personal data is collected via Google Tag Manager and no cookies are set. This service only allows us to integrate and manage tags on our website. Tags are small code elements on our website that are helpful for building on this with other tools such as measuring traffic and visitor behavior, recording the impact of online advertising and social channels, using remarketing and targeting, testing the website and to optimize. For more information about Google Tag Manager, see https://www.google.com/intl/de/tagmanager/use-policy.html.

V.   Safety measures

 

14. Security measures

 To protect your personal data from unauthorized access, we have provided our website with an SSL or TLS certificate. SSL stands for “Secure Sockets Layer” and TLS for “Transport Layer Security” and encrypts the communication of data between a website and the user’s device. You can recognize the active SSL or TLS encryption by a small lock logo that is displayed on the far left in the browser's address bar.

VI.  Your rights 

 

15. Rights of those affected

With regard to the data processing described above by our company, you are entitled to the following data subject rights:

15.1 Information (Article 15 GDPR)
You have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you have a right to information about this personal data and to the information listed in detail in Art. 15 GDPR under the conditions set out in Article 15 GDPR.

15.2 Correction (Article 16 GDPR)
You have the right to request that we immediately correct any incorrect personal data concerning you and, if necessary, complete any incomplete personal data.

15.3 Deletion (Article 17 GDPR)
You have the right to request that we delete personal data concerning you immediately if one of the reasons listed in detail in Article 17 GDPR applies, e.g. B. if your data is no longer needed for the purposes we pursue.

15.4 Restriction of data processing (Article 18 GDPR)
You have the right to request that we restrict processing if one of the conditions listed in Article 18 GDPR is met, e.g. B. if you dispute the accuracy of your personal data, data processing will be restricted for the period that allows us to verify the accuracy of your data.

15.5 Data portability (Art. 20 GDPR)
You have the right, under the conditions listed in Art. 20 GDPR, to request the release of the data concerning you in a structured, common and machine-readable format.

15.6 Revocation of consent (Art. 7 Para. 3 GDPR)
You have the right to withdraw your consent at any time to processing based on consent. The revocation applies from the time it is asserted. In other words, it works for the future. The revocation of consent does not make the processing unlawful retroactively.

15.7 Complaint (Art. 77 GDPR)
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You may exercise this right with a supervisory authority in the EU member state of your residence, your place of work or the place of the alleged infringement.

15.8 Prohibition of automated decisions/profiling (Article 22 GDPR)
Decisions that have legal consequences for you or that significantly affect you may not be based solely on automated processing of personal data - including profiling. We inform you that we do not use automated decision-making, including profiling, with regard to your personal data.

15.9 Right to object (Art. 21 GDPR)
If we process your personal data on the basis of Article 6 Paragraph 1 Letter f of the GDPR (to protect overriding legitimate interests), you have the right to object to this under the conditions set out in Article 21 of the GDPR. However, this only applies if there are reasons that arise from your particular situation. After an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms. We also do not have to stop processing if it serves to assert, exercise or defend legal claims. In any case - regardless of a special situation - you have the right to object to the processing of your personal data for direct advertising at any time.

 

As of: March 2021