Datenschutzerklärung - luca App

Processing Activity luca

We, Max Planck Institute for Chemical Energy Conversion, use the luca system to collect contact information of guests, customers:inside and visitors:inside to support contact tracing in connection with the fight against COVID infections.

Here you will be informed which data is collected or provided to us by us as the responsible party during contact data transmission using the luca system, how we store and process your personal data, and what rights you have as a data subject with regard to your personal data.

A. RESPONSIBLE

The entity responsible in the meaning of the General Data Protection Regulation and other national data protection acts as well as other data protection legislation is the

Max-Planck-Gesellschaft zur Förderung der Wissenschaften e.V. (MPG)
Hofgartenstrasse 8
D-80539 Munich
Telephone: +49 (89) 2108-0
Contact form: www.mpg.de/kontakt/anfragen
Internet: www.mpg.de

The data protection officer of the responsible party is

Heidi Schuster
Hofgartenstraße 8
D-80539 München
Telefon: +49 (89) 2108-1554
datenschutz(at)mpg.de

B. COLLECTION OF PERSONAL DATA

In order to support the fight against COVID infections, we collect your personal data when you check in at our location, provided that you consent to this. Personal data is any information relating to an identified or identifiable natural person.
This check-in and the associated transfer of your personal data to us is preferably done through the service luca in one of the following forms:

  • Use of the luca app
  • Use of the luca web app
  • Use of the luca badge
  • Use of the digital luca contact form

Check-in via app can be done by either you scanning our QR code or we scan yours. If you decide to scan our QR code, the camera of the end device must be switched on. However, only the recording of the QR code is stored. No other new data is collected. If you register with us via the contact form in the browser, the contact details described in part C are collected again.


C. TYPE OF DATA PROCESSED

We may process the following data from you:

  • Contact details: Name, first name, address, telephone number, e-mail address.
  • Stay data: Name or designation of the restaurateurs, event organizers and other businesses where you stayed, as well as the date of your stay, the beginning and end of your stay, the address of your stay, and the geo-coordinates of your stay.
  • Additional input data: other information you submit through input fields in the luca application, such as your table location number.
  • Test result data: QR code with information on completed COVID-19 tests, esp. infection status of the tested person.
  • Test result, vaccination or recovery certificate data: If the document stored in the luca app is presented and the QR code stored for verification is scanned, the following data is processed. First and last name as well as date of birth, infection status and additionally:
    • In the case of the test result: type of test (PCR or antigen test), information on the test manufacturer, the test site and the issuing site of the certificate, test date and date of issue.
    • In the case of the recovery certificate: date of positive test, data on the issuing body, validity period.
    • For the vaccination certificate: date of vaccination, number of vaccinations, information on the vaccine
    • (disease, manufacturer, product), data on the issuing authority
  • Functional data: Data association IDs, keys, and QR codes.
    Temporary usage data: Data that may be temporarily generated when using the luca app, i.e. IP address, IP location, type and version of the browser used and installed browser plug-ins, information on the mobile network used, time zone settings, operating system and platform.

D. PURPOSES OF PROCESSING | LEGAL BASIS OF PROCESSING

To support the fight against COVID infections, we record your contact details and residence times after your consent, so that in cases of new cases the health authority can trace a chain of contact if necessary. If we have received data from you, we will generally only process it for this purpose.

The following overview describes for which purposes and on which legal basis we process your personal
data are processed:

No. Processing and purpose Legal basis
(1) Collection of your contact data, residence data, input data and functional data when visiting our premises and events for the fulfillment of the legal obligation Art. 6 (1) 1 a) DSGVO: Einwilligung
Consent by scanning our QR code, or having your your QR code.
(2) Determining your stay by checking in and out. These functions can be supported
by using the camera and GPS function of your cell phone, if you voluntarily choose to do so. Only the information at which time you check in with us or leave the radius of our location is stored.		 Art. 6 (1) 1 a) DSGVO: Einwilligung
Consent by switching on the GPS or camera function, if necessary after prompting in the app. You can revoke your consent for the future at any time by turning off your camera or GPS function. (see also part H.)
(3) Encrypted storage and further processing of your contact data, input data and functional data within the IT infrastructure of culture4life GmbH. Art. 6 (1) 1 a) DSGVO: Einwilligung
Consent by scanning our QR code, or having your QR code scanned.
(4) Query and read your COVID test result, vaccination or recovery card. Art. 9 (2) a) i.V.m. 6 (1) 1 a) DSGVO: Einwilligung
Consent by showing the test, vaccination or recovery certificate.
(5) Transfer of your contact information, residence information, input information, and functional information to health authorities. Art. 9 (2) a) i.V.m. 6 (1) 1 a) DSGVO: Einwilligung
Consent by scanning our QR code, or having your QR code scanned.

 

E. RECIPIENTS OF PERSONAL DATA

The luca system is operated by culture4life GmbH. Its subcontractors are providers of software maintenance and software operation services (currently neXenio GmbH) and providers of IT infrastructure services (currently Deutsche Telekom AG and Bundesdruckerei Gruppe GmbH). There is an agreement on order processing between the responsible party and culture4life GmbH. The aforementioned recipients and subcontractors are not permitted to not use your personal data in any other way than to support contact tracing for us.

In addition, we may release your personal data to health authorities upon request to enable tracking.

F. TRANSMISSION TO THIRD COUNTRIES

A transfer to a third country or an international organization will not be made.

G. DURATION OF THE STORAGE OF PERSONAL DATA

We store your personal data for a period of 4 weeks. Your personal data will be deleted after four weeks.

H. RIGHTS OF THE PERSON CONCERNED

With regard to the processing of your personal data, you have the following rights provided for in the GDPR:

  • The right to request a statement as to whether your personal data is being processed and, if this is the case, the right to information about this data: When using the luca system, your data is stored in encrypted form, so that user secrecy in its unencrypted form generally only remains in the possession of the user:in. Therefore, as a rule, we cannot track whether personal data of a specific person is processed in the luca system. Like us, our contractor culture4life also does not possess the keys necessary for decryption and cannot assign your encrypted data object to you, decrypt it or view it. Unlike ourselves, you can view all data collected via luca App and stored in encrypted form in your own history and contact details. Within the luca App, you also have the option to download your residence collected from us by operating the information button. All your data processed by us will be automatically deleted from the luca system in a regular period of 28 days.
  • The right to request the correction of your personal data if it is incorrect or incomplete (Art. 16 DSGVO). You can only correct your contact data yourself in the luca app. This right is provided by the functionalities of the luca App. To exercise it, you only need to go to the relevant area within the luca App and make the correction/change. Your whereabouts data cannot be corrected. Such correction is not feasible due to encryption by us as well as our contractor culture4life.
  • The right, under certain conditions, to demand that your personal data be deleted immediately (so-called "right to be forgotten") (Art. 17 DSGVO. When using the luca system, your key/user secret in its unencrypted form basically only remains in your possession. The data collected from us is encrypted with the key of the health department. Without this key, we cannot assign the aforementioned data to your person and accordingly cannot delete it. All your data processed by us will be automatically deleted from the luca system in a regular period of 28 days.
  • The right to request the restriction of the processing of your personal data under certain conditions (Art. 18 DSGVO). We are also unable to fulfill this right due to encryption and because we ourselves do not have the keys necessary for decryption.
  • The right to object to the processing of your personal data in certain situations, provided that the processing is based on a legitimate interest of us or a third party pursuant to Art. 6 (1) 1 f) DSGVO or your personal data is processed for direct marketing purposes (Art. 21 DSGVO)
  • The right to revoke at any time any consent given to us with regard to the processing of your personal data (for the collection of the check-out time by means of geo-fencing as well as for the use of your camera). Such revocation does not affect the lawfulness of the processing that took place until your revocation. Please note that in case of revocation, the encrypted data cannot be assigned to you due to the encryption and therefore cannot be excluded from processing until its automatic deletion.

Please note that we generally do not process your personal data in the form of plain data, but in encrypted form, and therefore in certain cases we will not be able to comply with a corresponding request by you to grant the aforementioned rights.

To exercise these rights against us, you may also contact us using the contact details set out in Part A of this Privacy Policy. Notwithstanding the foregoing rights, you have the right to lodge a complaint with our competent supervisory authority for data protection and freedom of information. The address is:

State Commissioner for Data Protection and Freedom of Information
Bavarian Data Protection Authority (BayLDA), Postbox 1349, 91504 Ansbach..

  • Withdrawal of consent (Art. 7 (3) DS-GVO)
  • Information (Art. 15 DS-GVO)
  • Correction (Art. 16 DS-GVO)
  • Deletion (Art. 17 (1) DS-GVO)
  • Restriction of processing (Art. 18 DS-GVO)
  • Data portability (Art. 20 DS-GVO)
  • Objection to processing (Art. 21 DS-GVO)
  • Right of appeal to the supervisory authority (Art. 77 DS-GVO).

I. VERSION

This is the current version of our privacy policy. We reserve the right to adapt this data protection declaration (in particular in the event of changes to the legal situation or changes to our services). Changes to this data protection declaration will be communicated to you separately, if necessary before a change to our services takes effect. Nevertheless, we recommend that you check this data protection declaration at regular intervals.