Data protection declaration Discon GmbH distance measurement and infection evaluation
In this data protection declaration you will find out which data is collected when using the Discon devices, how they are used and what data protection rights you have.
1. The device and software are provided by Discon GmbH. The provider of the acquisition software is Discon GmbH, Nunsdorfer Ring 21, 12277 Berlin. Discon GmbH is also the data protection officer for the processing of personal data of the users of the device and software. You can reach the data protection officer of Discon GmbH at the above address (for the attention of the data protection officer) and by email to: (firstname.lastname@example.org)
2. Use of the devices: The use of the devices is part of events / trade fairs, companies in order to only inform those people who have been in contact with an infected person within 4 weeks, retrospectively, if an infection has become known. Your consent is required for the software to process your personal data as part of the risk assessment. If an infection risk is determined for you, your data also represent health data. Your consent is required, otherwise the evaluation of the contacts to other devices cannot be carried out. Possibly share separate consents for data processing and test results. The data processing within the scope of these functions is described in more detail in the following sections
3. Legal basis for data processing: Discon GmbH only processes your personal data on the basis of your consent. According to Article 6 Paragraph 1 Clause 1 Letter a and Article 9 Paragraph 2 Letter a of the General Data Protection Regulation (GDPR). You can revoke your consent at any time. Further information on your right of withdrawal and information on how you can exercise this can be found in section 10.
4. Scope: people who are in Germany and who are at least 16 years old.
5. Which personal data are processed? The software is designed in such a way that only necessary personal data is processed. This means, for example, that the software does not collect any data that would enable other users to infer your identity or your health status. In addition, the software dispenses with any recording or analysis of your usage behavior using tracking tools. The data processed by Discon GmbH can be assigned to the following categories:
5.1 Database: device data Device data is generated as soon as the distance between the devices is less than 1.5 m. Then an optical / acoustic alarm is triggered in the devices involved (LED / sound / vibration) and the device IDs, the alarm time and alarm duration are transferred to an online database of Discon GmbH. The transmission ends as soon as the minimum distance of approx. 1.5 m is exceeded again. – Application / event: For an event or application, device ID, anonymous user ID, date and time are recorded upon admission and at the end of use and also stored with the device ID in Discon GmbH’s online database .
5.2 Database: User registration In a second database, the participants are registered for an event
5.3. Evaluation: In the case of a reported case of infection to the organizer, company, Discon GmbH, Discon GmbH determines the device IDs assigned to the anonymous user ID in the corresponding period of use for which an alarm was recorded in the corresponding period (contact log). 5.3.1 List The users of the potentially affected devices are then determined, a list is created (I20 contact log) and reported to the responsible health authority. When using the Discon devices, existing and switched on Discon devices measure connections with each other via BLE and transmit the device IDs digitally (encrypted) via (GSM) to a database of Discon GmbH at a distance of less than 1.5m. These data are only device data. A device-specific QR code is assigned to each device. In a second step, the ID assigned to the user is recorded in a second, independent database with a QR code. This badge is manually attached to the device. The QR code of the device and the user is also recorded manually. If an infection is reported within 14 days (of detection), an evaluation of the contact chain takes place. (The distances from other devices to this device were less than approx. 1.5 m and had a continuous duration of longer than 10 minutes). (Contact log) Then, in a third step, the persons assigned to the corresponding devices are determined from the device contact log. (I20 contact log) Personal data is not recorded, processed or evaluated in the devices. Device access data is only processed to secure and maintain the technical infrastructure. The personal data recorded in a separate database will be deleted after 4 weeks.
6. Obligation to report infection / conditions of use The user of a Discon device who was infected within an event or period of use (positive test within 14 days of incubation after the event date) must inform the organizer, employer, company as follows: – to Discon GmbH via the link in the registration or – in writing / by telephone to the organizer or employer (date, place of the event, QR code with personal ID, or optionally surname, first name, email address)
7. Who will your data be passed on to? Your data will only be saved in Discon GmbH’s internet-based databases. Results from evaluations will be communicated to the organizer and / or the responsible health department with your consent.
8. Will data be transferred to a third country? The data generated by the use of the Discon devices is processed exclusively on servers in Germany or in another EU or EEA member state.
9. Revocation of consent You have the right to revoke the consent you have given to the organizer and Discon GmbH at any time with effect for the future. However, this does not affect the legality of the processing up to the point of revocation. To revoke your consent, please send an email to email@example.com.
10. Your further data protection rights If Discon GmbH processes your personal data, you also have the following data protection rights:
• the rights under Articles 15, 16, 17, 18, 20 and 21 GDPR,
• the right to contact the official data protection officer of Dicon20 GmbH and to raise your concerns (Article 38 Paragraph 4 GDPR)
• the right to lodge a complaint with a competent data protection supervisory authority.
To do this, you can either contact the responsible supervisory authority at your place of residence or the health authority responsible at the headquarters of Discon GmbH.
The competent supervisory authority for Discon GmbH is the Federal Commissioner for Data Protection and Freedom of Information, Graurheindorfer Str. 153, Berlin. It should be noted that the aforementioned rights of Discon GmbH can only be fulfilled if the data to which the asserted claims relate can be clearly assigned to your person. This would only be possible if Discon GmbH collects further personal data that allow a clear assignment of the above-mentioned data to your person. Discon GmbH is not obliged to collect such additional data (Article 11 Paragraph 2 GDPR). For this reason, the aforementioned data protection rights from Articles 15, 16, 17, 18, 20 and 21 GDPR can usually not be fulfilled immediately and only with additional information about yourself that Discon20 GmbH does not have. Status: 07/14/2020