Data protection information for visitors of our test centre
We wish to provide you with the following information and thereby comply with the information obligations arising from the General Data Protection Regulation (GDPR).
KDP BioMed GmbH
Appointment bookings and billing are handled by our ticketing service provider ticket.io, with whom we have entered into a contract for order processing.
The purpose of processing is to conduct the respective test (COVID-19
“citizen rapid test”, PCR test, antigen or antibody test) and to issue the
result certificate. In the event of a free “citizen test”, processing also
occurs for the purpose of billing with the Association of Statutory Health
Depending on the reason for testing and the purpose of the result certificate, the voluntary entry of a document number (personal ID or passport) and nationality may also be appropriate. The purpose of this processing is to issue a complete certificate with all mandatory information; in the case of some countries, entry and/or exit is not possible without this information on the certificate. Please check the travel conditions with the Foreign Office before booking an appointment.
The fulfilment of a contract pursuant to Art. 6 (1b) GDPR provides the
legal basis for processing your data.
In the event of a positive test result, a duty to report the case to the local health department applies. The legal basis for transmitting your data in this case is a legal obligation pursuant to Art. 6 (1c) GDPR.
Your personal data is automatically deleted when it is no longer necessary for the purposes for which it was collected and no retention periods preclude deletion. Here are a number of relevant deletion or retention periods:
Retention or deletion period
Participant data and result data for free “citizen tests”
Deleted from the live database 60 days after testing and transferred to the archive; deleted from the archive database at the end of 2024
Billing of “citizen tests” with the Association of Statutory Health Insurance Physicians until the 15th of the following month or the retention period according to Section 7 (5) of the German Coronavirus Testing Regulation (Coronavirus-Testverordnung – TestV)
Participant data for privately paid COVID-19 tests
Section 147 of the Fiscal Code of Germany ( Abgabenordnung – AO), Section 257 of the German Commercial Code (Handelsgesetzbuch – HGB)
Result data for privately paid COVID-19 tests
Deleted from the live database 60 days after testing
Art. 6 (1c) GDPR in conjunction with Section 6 (1) No. 1 t) of the German Infection Protection Act ( Infektionsschutzgesetz – IfSG)
If you have any further questions regarding the storage of your data, please do not hesitate to contact us.
In order to ensure that only the tested person is able to access the result, different authentication methods are used depending on the laboratory software in use:
The transmission of the test result for online access occurs on the basis
of your consent provided when booking the appointment, in accordance with
Art. 6 (1a) in conjunction with Art. 9 (1a) GDPR.
Your test result is available to access for 72 hours.
If you* wish to use the Corona Warn App ("App") of the Robert Koch Institute ("RKI") to retrieve your test result of an antigen test, in order to retrieve your test result via the App, it is necessary that your test result is transmitted from the testing centre to the server system of the RKI.
In short, this is done by the testing centre storing your test result, linked to a machine-readable code, on a server of the RKI designated for this purpose. The code is your pseudonym; no further personal information is required to display the test result in the app. However, you can personalise the display of the test result by entering your name, first name and date of birth.
The code is formed from the scheduled time of the test and a random number. The code is formed by combining the aforementioned data in such a way that it is no longer possible to calculate back the data from the code.
You will receive a copy of the code in the form of a QR code that can be read into the app using the camera function of your smartphone. Alternatively, you can also receive the pseudonymous code as an internet link ("App Link"), which can be opened and processed by the app. This is the only way to link the test result with your app. With your consent, you can then retrieve your test result using the app. Your test result is automatically deleted from the server after 21 days. If you agree to the transmission of your pseudonymous test result by means of the code to the app infrastructure for the purpose of test retrieval, please confirm this to the staff of the testing centre. You can revoke your consent at any time with effect for the future. Please note, however, that due to the existing pseudonymisation, an assignment to your person cannot take place and therefore a deletion of your data will only take place automatically after the 21-day storage period has expired. You can also find details on this in the "Data protection information" of the Corona warning app of the RKI.
*If you are under 16 years of age, please discuss the use of the app with your parents or legal guardian.
Support regarding the booking of appointments is handled via our ticketing service provider ticket.io, with whom we have entered into a contract for order processing.
When establishing contact (e.g. via the contact form or email), personal data is collected. The types of data collected when using the contact form can be seen in the corresponding contact form. This data is stored and used exclusively for the purpose of answering your enquiry or for establishing contact as well as the associated technical administration. The legal basis for processing the data is our legitimate interest in answering your enquiry in accordance with Art. 6 (1f) GDPR. Your data is deleted after your enquiry has been conclusively resolved. This is the case when the circumstances indicate that the relevant subject matter has been fully clarified and where no statutory retention periods preclude deletion. Ticket.io uses the technical service provider ZOHO DESK for customer support: https://desk.zoho.eu/portal/tiosupport/de/home .
The data processed by cookies, necessary for the proper functioning of the website, is required to maintain our legitimate interest and the interests of third parties in accordance with Art. 6 (1f) GDPR.
Insofar as this has not been previously mentioned, as a rule personal data is not shared with third parties. However, we may avail ourselves of service providers – such as the processors already mentioned. As a result, it may be the case that a service provider obtains knowledge of personal data.
We only process data in the European Union.
You have the right to receive information about the personal data we process with respect to your personal identity. Moreover, you have the right to demand the rectification or erasure of the data or the restriction of processing, provided you are entitled to these rights by law.
Furthermore, you have a right to object to processing in accordance with statutory provisions. The same applies to the right to data portability.
In particular, you have a right to object in accordance with Art. 21 (1) and (2) GDPR to the processing of your data if this occurs on the basis of a balance of interests.
Lastly, you have the right to lodge a complaint with a supervisory authority responsible for data protection.