Ecolog is a worldwide leader in the field of logistic solutions. This Data Protection Policy (hereinafter referred to as “Policy”) explains the relevant processing of Personal Data and the relevant data protection rights when you use the website lux-airport.ecocare.center and related websites and the services offered by Ecolog on those websites, in particular the Eco-Care COVID-19 Test at the places designated on our websites and through the Ecocare App.
2. Mandatory information under the GDPR
2.1 Responsible controller and contact details
Data controller and responsible entity for the processing of Personal Data is
Ecolog Deutschland GmbH
In der Steele 14,
40599 Düsseldorf, Germany
You can reach our data protection officer under the same address with the addition “Attn: Data Protection Officer” or by email under firstname.lastname@example.org
2.2 Processing of Personal Data, Purposes and Legal Basis
Ecolog processes and stores different Personal Data and Individuals have the data protection rights listed below.
1 Provision of the website
When you use our websites, data on your usage (such as the date and time of your visit, pages called up and files requested, type and version of the web browser used by you, type and operating system of the end device you use as well as your IP address) is temporarily stored in a log file on our server. The processing of the server log data is necessary for technical reasons in order to provide the website and render the services and thereafter to ensure the system security.
The legal basis for the processing is our legitimate interest in providing the website with our services (Art. 6 para. 1 (f) GDPR). The processing is a mandatory prerequisite for the use of our website; no objection right is hence available.
This data is deleted after 12 days at the latest.
The server log data may then be assessed in anonymised form for statistical purposes and to improve the quality of our internet presence. There is no link between the server log data and your personal data nor is the server log data combined in any way with other personal data sources.
2.2.2. Registration for voluntary Testing at our testcenter close to Luxembourg Airport.
On our websites and through our app you can register for and book an appointment for testing at our testcenter in Luxembourg airport When you register you must enter you name, gender, contact details (i.e. address, telephone number, e-mail address), birth date, country, name of physician and phonenumber of physician and passport number) and set a personal password.
We process the registration data in order to set up and manage your customer account and administrate your testing appointment.
The legal basis for the processing is our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR in providing you with the aforesaid “customer account” service, respectively the performance of a contract on the testing with you (Art. 6 para. 1 (b) GDPR).
This data is deleted when the registration on our website, respectively the customer account, is cancelled or modified.
You can object to a processing of your data on the basis of Art. 6 para. 1 (f) GDPR (according to Art. 21 (1) GDPR). In such cases we may, in principle, prove mandatory reasons for the processing in order to continue such processing. While it is possible to close the customer account, we will need continue to process the registration data in order conduct and administrate the registered testing.
2.2.3 Testing and Notification of Test Results
Subject to your consent, we (and for the actual testing, our partners as described further below) collect and process Personal Data from registered Clients at the testing facility to (i) check your identity at the testing appointment, (ii) to conduct and administrate the subsequent testing of the samples, provide the certificate relating to the testing and to re-connect the test results to the right individuals, (iii) to notify the test results to the Clients electronically, and (iv) to invoice our services. Please note that the test results (at least in case of a positive Covid test) are considered health data in the meaning of Art. 9 para. 1 GDPR:
- Registration data (see above)
- Your Body Samples,
- results of the biochemical analysis
- payment data (e.g. name and creditcardnumber)
Any Personal Data of a Client will be stored for max. one month, unless otherwise stated in this statement. The body sample and the testkit is not stored at all. The legal basis for the processing is the conclusion and fulfilment of the contract with the Client for the testing service, Art. 6 para. 1 (b) GDPR, as well as for the handling of the health data and the notification via electronic means your consent, Art. 6 para. 1 (a) and Art. 9 para. 2 (a) GDPR.
Subject to your consent, Ecolog Deutschland GmbH can use your emailaddress to send you a newsletter regarding our Ecocare services in the field of COVID-19 testing, vaccination for COVID-19 and related services for maximum 4 times per year via E-mail. With every newsletter you will have the opportunity to opt out and withdraw your consent. You can also object to receiving the newsletters at any time by sending an email to email@example.com
2.2.4 Cookies on our Websites
Cookies already stored on your device, can be deleted at any time, using the browser functionality. Non acceptance of Cookies, however, can lead to functional restrictions.
a) Required Cookies and comparable technologies (“Required Cookies”)
Required Cookies are used to enable basic website functionalities such as page navigation, to verify if a visitor has read the cookie notification, and to save visitor’s cookie settings. Therefore we use our own Cookies. Required Cookies cannot be disabled, otherwise our Website would not function correctly. The legal basis for the processing is Art. 6 para. 1 (b) GDPR.
b) Statistical Cookies and comparable technologies (“Statistical Cookies”)
Statistical Cookies are used to analyse and improve our Website on the basis of general usage patterns. The legal basis for the processing is your consent, Art. 6 para. 1 (a) GDPR.
This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). The information regarding your usage of this website generated by the use of Google Analytics is transmitted to and stored on a Google server in the US. However, due to the activated IP anonymisation on this website, Google will previously abbreviate your IP address within the member states of the European Union and in other contracting states under the Agreement on the European Economic Area. Only in exceptional cases will a full IP address be transmitted to a Google server in the U.S., where it will then be shortened. The IP address transmitted by the browser of the user will not be merged with any other Google data.
Google will use this information on our behalf to analyse the usage of our online offer by users, to compile reports on the activities regarding the use of the online offer, and to render further services to us in connection with the use of our online offer and internet usage. In this context, pseudonymous user profiles may be created from the processed data.
Users can prevent the storage of cookies by adjusting the setting of their browser accordingly; moreover, users can prevent that the data generated by the cookie on their use of the online offer is transmitted to and processed by Google by downloading and installing the browser plugin available at: http://tools.google.com/dlpage/gaoptout?hl=de.
2.3 Exchanging data with third parties, Data Recipients
Your personal data are sometimes shared with or received from third parties. We will never sell your personal data to anyone. Categories and examples of third parties with whom we share personal data are:
- Swab sample and checking identification: We will check your identity before taking the body sample and we will take a body sample necessary to be analysed. The legal basis is your consent, Art 6. Para. 1 (a) GDPR.
Validation: We send a picture of the testresult to our partner Laboratories Reunies S.A. in Luxembourg for validation of the test. This is done on an anonymous basis. The legal basis is your consent, Art. 6 para. 1 (a) GDPR.
- We may use technical service providers to provide general IT services, operate and host our websites and for the electronic submission of the test results. These service providers are our processors, Art. 28 GDPR.
- If you use our app, data is shared with ND Business IT GmbH. This service provider is our processor, Art. 28 GDPR.
- Our testing service is not for free: We use Stripe and Ideal to process your payment. These service providers are our processors, Art. 28 GDPR.
- Supervisory bodies: We exchanges personal data with supervisory bodies (like the Luxembourg Healthcare Authority or the Luxembourg Data Protection Authority) if this is needed by the supervisory body to carry out its official duties. This is required by law; In case of a positive test we are obliged by law to share your personal data with the proper authorities in Luxembourg. A positive test result will be shared with the proper authorities. The legal basis is our legal obligations and/or the public health interests as required by applicable local laws, Art. 6 para. 1 (c, e) GDPR, Art. 9 para. 2 (g, i) GDPR.
Whenever we use the services of third parties for activities, we endeavour to ensure that data is processed only within the European Union or countries/organisations that the European Commission considers to guarantee an adequate level of security. However, this is not always possible. Your personal data – excluding data concerning your health – may be processed in a country other than those referred to above. If so, we will contractually ensure that these processors provide sufficient guarantees, typically by using so-called Standard Contractual Clauses (you can exercise your further rights under Art. 13 para. 1 (f) GDPR by contacting us under the address named above).
2.4 Retention period
Unless otherwise stated in this Policy we store Personal Data only for as long as necessary to fulfil our contractual obligations. Thereafter we immediately delete Personal Data. However, we are required to store certain Personal Data longer for statutory reasons. We are obliged to store certain Personal Data for a mandatory period from 2 to 7 years under the (Luxembourg) Commercial Code, the Luxembourg Tax Code, the Luxembourg Credit and Loans Act, the Luxembourg Money Laundering Act, and the Luxembourg Securities Act. Furthermore, we store certain Personal Data for the purpose of evidence in civil claims.
2.5 Data protection rights
You have the following data protection rights under the applicable legal requirements, which you can exercise at any time under the address mentioned under “2.1 Responsible data controller and contact details” with the addition “Attn: Data Protection Officer” or by email under firstname.lastname@example.org
2.5.1 Right of access
You have the right to obtain confirmation whether or not your Personal Data has been processed and if so, to access your Personal Data. The right of access may be restricted, e.g. by trade secrets or if restriction is necessary due to research purposes. Furthermore, the right of access may be restricted by other applicable laws. You can request a copy of your Personal Data – in general – free of charge. Ecolog may charge a fee though, if you request further copies.
2.5.2 Right to data portability
You have the right to receive your Personal Data, which you have provided to Ecolog, in a structured, commonly used and machine-readable format (e.g. PDF). Furthermore, you may have your Personal Data transferred to another legal entity. The right to data-portability may be restricted, e.g. by trade secrets or if restriction is necessary due to research purposes. Furthermore, the right to data-portability may be restricted by statutory law
2.5.3 Right to rectification
You have the right to obtain rectification of your inaccurate Personal Data, and the right to have your incomplete Personal Data completed.
2.5.4 Right to erasure
You have the right to have your Personal Data erased. Ecolog may be required by applicable laws to store certain Personal Data after receiving a request to erase your Personal Data though (further information can be found under 2.4 Retention period).
2.5.5 Right to restriction of processing
You have the right to obtain restriction of the processing of your Personal Data.
2.5.6 Right to object
You have the right to object to the processing of your Personal Data, if the processing is based on Ecolog’s legitimate interest (unless we can show our compelling legitimate grounds for the processing) or if your Personal Data are processed for direct marketing purposes.
2.5.7 Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority. You may also exercise this right with the supervisory authority of your place of residence, place of work or at the place where the alleged infringement occurred.
2.5.8 Right to withdraw a consent
Insofar as the processing of your Personal Data is based on your Consent, you have the right to withdraw your Consent at any time with effect for the future. In case of your consent to the testing and notification of test results that will mean that we will not stop the processing described above (see 2.2.3) after we have taking the samples.
2.5.9. No automated decision-making including profiling
We do not use automated decision-making, including profiling, referred to in Art. 22 paras. 1 and 4 GDPR.
2.5.10 Applicable national laws
Any further or modified rights under applicable national laws remain unaffected by the rights set forth herein.
In general, Ecolog will respond to Individuals’ no later than one (1) month after receiving an Individual’s Request. In exceptional cases, Ecolog may extend this period by two (2) further months with prior notice. If an Individual’s Request does not contain sufficient detail, Ecolog reserves the right to request additional information. Before denying any Individual’s Request, Associates must seek the advice of Ecolog’s legal department. Ecolog will provide the Individual with an explanation for any denied Individual’s Request.
All Associates must adhere to the principles and rules set out in this Policy. It is the responsibility of every Ecolog manager, director or supervisor to adhere to this Policy within his or her area of functional responsibility, to lead by example, and to provide guidance to those Associates reporting to him or her.
4. Security measures
Ecolog has taken extensive measures to ensure the security of Personal Data, including the following:
- Organizational measures: Preparation and implementation of an internal control plan, regular employee training and education;
- Technical measures: Management of access rights to its systems, installation of an access control system, encryption of certain Personal Data, installation of security programs;
- Physical measures: Restriction of access to all internal data centres (e. g. computer rooms, data storage rooms), and
- Contractual measures: Third-Parties which host our systems are contractually bound, subject to our instructions and to regular monitoring.
5. Consent to data processing
I, the undersigned, confirm that my sample, together with this form, enables Ecolog to process the test results and that my sample will be ananlyzed. Ecolog will share the final test results to you, and you will be informed of the results by us in an encrypted manner as stated in the contact form.
I, the undersigned, consent to my personal data and the test result being passed on to the responsible health department (GGD) in case of a positive test.
I, the undersigned, consent to the use of my personal data as described above in accordance with all applicable data protection regulations and laws, including the GDPR (as amended).
I ensure that the personal data entered by me on the form are correct.
6. Changes to this Policy
Ecolog is dedicated to the highest standards and to continuously improve its services. Therefore we may change our services from time to time. Such changes may affect the Processing of Personal Data. We reserve the right to amend this Policy at any time. The current version is available at lux-airport.ecocare.center and in the app. We advise you to inform yourself in regular intervals about the current status of this Policy.
This version of this Policy is effective from January 2021.