Legal Documents

Privacy Policy for the use of the DasLab services

This privacy policy describes how Das Lab GmbH (also referred to as "DasLab", "our", "us" and "we") collects, uses and discloses personal data in connection with the use of the DasLab service (such as, e.g., ordering the home test and analysing the sample). We also provide you with an overview of the rights available to you in connection with this personal data.

We take the protection of your personal data seriously and strive to be as transparent as possible.

 

  • 1. Applicability of the privacy policy

 

This Privacy Policy applies to the platform provided by DasLab that connects healthcare providers, medical laboratories - and other healthcare stakeholders - with patients ("Platform"). This Privacy Policy does not apply to third-party applications or software that are integrated into our Services or to any other third-party products, services or companies ("Third-Party Services").

This privacy policy applies both in the event that you

  • place an order via your statutory health insurance provider,
  • place an order via your telemedicine provider or
  • use the DasLab services without ordering a home test and analyzing the sample and without involving a statutory health insurance company or a telemedicine provider. 

Insofar as differences arise from these different constellations for the purposes of this privacy policy, these are expressly indicated.

 

  • 2. Responsible

 

The EU General Data Protection Regulation (GDPR) distinguishes between the controller of personal data and the processor of personal data. The controller of the data entered by users is:

Das Lab GmbH
Ludwigstrasse 8
80539 Munich

If you have any questions or complaints or wish to exercise your rights in relation to your personal data, please contact us at

contact@daslab.de
https://daslab.health/de/legal/imprint 

 

  • 3. Data Protection Officer

 

If you have any questions regarding the processing of your personal data, you are also welcome to contact our data protection officer with your data protection concern by sending an email to the email address above. Please note that not only our data protection officer will receive your request. If you wish to contact our data protection officer exclusively and/or wish to submit confidential information, please refer to the data protection officer in your e-mail and ask to be contacted.

 

  • 4. What personal data do we process and for what purposes?

 

If you would like to order a test kit for a self-test at home via your statutory health insurance or via your telemedicine provider, we need the following personal data from you:

 

  • a. Order of an at home test

 

If you would like to order a test kit for an at home, we require the following personal data from you:

  • Name, first name
  • Date of birth
  • Gender
  • Address
  • E-mail address
  • (only if you place the order via your statutory health insurance and not via a telemedicine provider): Insured person number

This information is collected by us if you place the order via your statutory health insurance provider, or is transmitted to us by your telemedicine provider if you place the order via your telemedicine provider. This information is required to complete the order and send you the home test. The legal basis for the data processing is. Art. 6 para. 1 lit. b GDPR and your consent according to Art. 9 para. 2 lit. a GDPR.

When placing an order, you must have a valid membership with the relevant health insurance company and be at least 18 years old. After a successful order, DasLab transmits the order data to the fulfilment service provider (Schubert Medizinprodukte GmbH & Co. KG, Bodenwöhrer Str. 3, 92442 Wackersdorf) for the purpose of product dispatch and delivery. DasLab then transmits the order data to the laboratory

  • amedes MVZ für Laboratoriumsdiagnostik und Mikrobiologie GmbH, Jena
    (at-home test as part of colon cancer screening)
  • Zotz-Klimas MVZ Düsseldorf-Centrum GbR
    (at-home test as part of cervical cancer screening)

for the purpose of diagnostic analysis.

There is no legal obligation to provide your personal data. However, if you do not provide us with your data, it will not be possible to order the home test.

 

  • b. Registration in the patient portal

 

If you have ordered a test kit for a self-test at home via your statutory health insurance or via your telemedicine provider, carried it out and sent it to the laboratory for analysis, we will inform you by e-mail that your laboratory results are available. After that, you can register in the patient portal and create an account to view the results. For this purpose, we process the following data:

  • Name, first name
  • Date of birth
  • Gender
  • E-mail address
  • Results of the laboratory test (health data)

In order to provide you with the service and to enable access to your orders and test results, the above-mentioned data, which includes health data in particular, is processed on the basis of your express consent pursuant to Art. 9 (2) lit. a GDPR. Your consent is the legal basis for the data processing.

As part of the use of our Services, we provide certain notices and updates to our users. We may send you service, transactional, technical and other administrative notices, such as notices about your account, our service offerings, changes to the Services and important service-related notices, such as security and fraud notices. We consider these communications to be part of our services to you and they are based on our legitimate interest under Article 6(1)(f) GDPR. Our legitimate interest is to inform you about account-related aspects.

There is no legal obligation to provide your personal data. However, if you do not provide us with your data, registration is not possible.

 

  • c. Billing for services rendered
  • (1) If you order through your statutory health insurance:

 

For the purpose of billing your statutory health insurance for the services provided, we process the following personal data:

  • Name, first name
  • Date of birth
  • Gender
  • Insured person number
  • Participation date

We transmit this data on the basis of your express consent in accordance with Art. 9 Para. 2 lit. a GDPR to ADM (Advanced Diagnostics Managementgesellschaft GmbH, Zeppelinstraße 73, 81669 Munich), which is entitled to invoice the service to your health insurance company on the basis of a selective contract. 

ADM uses DRMZ (Deutsches Medizinrechenzentrum GmbH, Wiesenstr. 21, 40549) as an order processor for billing purposes. The integration is data protection compliant in accordance with the requirements of Art. 28 GDPR.

 

  • (2) If you order through your telemedicine provider:

 

For the purpose of billing your telemedicine provider for the services provided, we process the following personal data:

  • Name, first name
  • Date of birth
  • Gender
  • Insured person number
  • Participation date
  • Type and date of services provided

We transmit this data on the basis of your express consent in accordance with Art. 9 Para. 2 lit. a GDPR to your telemedicine provider, which is entitled to invoice the service to your health insurance company on the basis of a selective contract. 

Your telemedicine provider may use other service providers as processors for billing purposes. You can find more information on this in the privacy policy of your telemedicine provider.

 

  • d. Data processing when contacting us

 

If you contact us, the data you provide us with, such as your e-mail address, your name and your telephone number, if applicable, as well as information about your request, will be stored by us in order to answer your questions. 

The data processing serves the purpose of processing your enquiry.

If the purpose of contacting you is to conclude a contract for the use of the platform services, or if it is about an existing contract with you, Art. 6 para. 1 sentence 1 lit. b GDPR is the legal basis for the processing. 

In other cases, the legal basis for the processing of personal data concerning you is Art. 6 para. 1 p. 1 lit. f GDPR. The legitimate interest results from the necessity of processing your data in order to be able to answer your enquiry.

We only store your data for as long as is necessary for the purpose, i.e. until your enquiry has been answered in full, or, if the enquiry is assigned to a contract, according to the time limits for the term of the contract.

There is no legal obligation to provide your personal data. However, if you do not wish to provide us with your data, it is not possible to contact you.

 

  • e. Evaluation of anonymised data

 

We anonymise your data in order to be able to create anonymous evaluations, provided you give us your consent to do so. 

 

  • f. Newsletter

 

In addition, we may occasionally send emails about new product features, recommendations and promotional messages or other news about DasLab if you have given your consent to receive these types of updates. You can withdraw your consent at any time with future effect and unsubscribe from these messages by using the unsubscribe link included in all such communications.

 

  • g. Technical data

 

Log files

When you visit our platform, a so-called log data record (so-called server log files) is stored temporarily and anonymously on our web server. This consists of:

  • the page from which the page was requested (so-called referrer URL)
  • the name and URL of the requested page
  • the date and time of the call
  • the description of the type, language and version of the web browser used
  • the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established
  • the amount of data transferred
  • the operating system used
  • the message whether the call was successful (access status/http status code)
  • Time zone difference from Coordinated Universal Time (UTC)

This data is processed for the purpose of the technical provision of our website and for statistical evaluations as well as for the purpose of identifying and tracing unauthorised access to the web server and other criminal offences. 

The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interests for the temporary storage of technical access data are to be able to provide you with a technically functional and user-friendly website and to be able to guarantee the security of our systems.

The storage of information on an end device used by you and the reading of this information takes place independently of the technology used for this purpose (cookies, object storage, pixels, web beacons, etc.) on the basis of your consent in accordance with Section 25 (1) TDDDG, which you declare by means of an opt-in. You can revoke your consent declared in this way at any time via the cookie settings. If the storage is absolutely necessary to make the website available, the legal basis for the storage is § 25 para. 2 no. 2 TDDDG.

The recipients of the data are our hosting service providers.

Log file information is stored from the end of your website visit for a maximum of 30 days and then deleted.

The data processing is necessary for the operation of our website. If you wish to object to data processing, you can do so by not visiting our website.

The provision of personal data is neither legally nor contractually required, but it is necessary for the functionality of our website.

Use of cookies

We use services and applications that are offered either by ourselves or by third parties. These include services that use technology to store or access information on the end device:

  • Cookies: Information stored on the end device, consisting in particular of a name, a value, the domain to be stored and an expiry date. So-called session cookies are deleted after the session, while so-called persistent cookies are deleted after the specified expiry date.
  • Web memory (local memory / session memory): Information stored on the terminal device consisting of a name and a value. Information in session memory is deleted after the session, while information in local memory has no expiry date and remains stored unless a mechanism for deletion has been set up (e.g. storing a local memory with time input).

You can also manually delete cookies or data stored in the local memory or session memory on your device at any time.

Name

Provider

Purpose

Validity

Location

Type

Cookie consent

Cookiebot

Saves the status of the user's cookie consent

1 year

USA

HTTP

Several

google.com

Used by Google's Firebase product to ensure that only logged-in users have secure access to DasLab products.

1 year

USA

HTTP

i18n_redirected

daslab.health

Determines the visitor's preferred language. Allows the website to set the preferred language when the visitor visits again.

1 year

Germany-land

HTTP

SL_C_23361dd035530_SID

Smartlook

Contains the project key, session ID and visitor ID. Session and visitor IDs are unique identifiers assigned to new sessions and visitors.

13 months

USA

HTTP

SL_L_23361dd035530_SID

Smartlook

Contains the project key, session ID and visitor ID. Session and visitor IDs are unique identifiers assigned to new sessions and visitors. The data is stored locally.

13 months

USA

HTTP

 

We use the services and applications required for the operation of the website on the basis of our legitimate interests pursuant to Art. 6 (1) f) GDPR to provide the basic functions of our website. In certain cases, these services and applications may also be necessary to fulfil a contract or to carry out pre-contractual measures; in this case, the processing is based on Art. 6 (1) (b) GDPR. In these cases, access to and storage of information in the terminal device is mandatory and based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany on Section 25 (2) of the Telecommunications Telemedia Data Protection Act.

Insofar as your consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR constitutes the legal basis for the data processing, you can revoke this consent at any time. You can do this by deleting the cookies in your browser.

The provision of your personal data is neither legally nor contractually required. However, without the provision, the functionality of our website may not be guaranteed. In addition, it is possible that individual services may not be available.

 

  • 5. Data storage

 

DasLab stores user data in accordance with the user's instructions, including the applicable provisions in the General Terms and Conditions and to the extent required by applicable law.

Your personal data will be deleted or blocked as soon as the purpose has been fulfilled and provided that there are no retention periods or further legal grounds for storage. However, storage may take place beyond the specified time if a (threatened) legal dispute with you or other legal proceedings are pending or if storage is required due to legal regulations to which we are subject.

 

  • 6. How we share personal data

 

This section describes how DasLab may share and disclose personal information. Users determine their own policies and practices for sharing and disclosing personal information. DasLab has no control over how you or other third parties share or disclose personal information.

DasLab may share and disclose personal data in accordance with the user's consent, including applicable provisions in the terms of use and the customer's use of the services, and in accordance with applicable law. To the extent necessary, we may disclose personal data to third parties only if we have obtained consent to do so, data protection contracts have been concluded or another legal basis exists, such as a legitimate interest or a legal obligation. In addition, we may engage service providers who act as processors.

We may share personal data as follows:

  • Subcontractors. We may use third party companies or individuals as sub-processors to process personal data. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships to support our users.
  • Third-party services. Users may activate third party services. If so, DasLab may access and exchange the user's personal data with the provider of a third-party service on the user's behalf. Third party services are not under the responsibility of DasLab and are not controlled by DasLab. Third parties who have been granted access to personal information may have their own policies and practices for collecting, using and sharing information. Please review the permissions, privacy settings and notices for these third-party services or contact the respective provider with any questions.

As described above, DasLab will share your data above with a laboratory and a fulfilment service provider for the purposes described above.

  • In the event of a change in DasLab's business. If DasLab engages in a merger, acquisition, bankruptcy, dissolution, reorganisation, sale of some or all of its assets or stock, financing, public offering of securities, acquisition of all or a portion of its business, similar transaction or proceeding, or takes steps in contemplation of such activities, some or all of the personal information may be disclosed or transferred, subject to customary confidentiality agreements.
  • To comply with the law. When we receive a request for personal information, we may disclose personal information if we have a reasonable belief that disclosure is being made or is required in accordance with an applicable law, regulation or legal process.
  • To enforce our rights, prevent fraud and for security reasons. Personal information may be disclosed to protect and defend the rights, property or safety of DasLab, its users or third parties, including the enforcement of contracts or policies or in connection with the investigation and prevention of illegal activities, fraud or security issues, and the prevention of death or imminent physical harm.

 

 

  • 7. Data security

 

DasLab takes the security of personal data very seriously. We strive to protect all personal data from loss, misuse and unauthorised access or disclosure and therefore use appropriate technical and organisational security measures. Our security measures include encryption, firewalls, access controls and regular security audits. We continuously monitor and update our systems to stay ahead of new threats and ensure the highest level of security for your data. Our security measures are constantly improved in line with technological developments.

Given the nature of communications and information processing technology, DasLab cannot guarantee that personal data will be secure from intrusion by third parties during transmission over the Internet or while stored on our systems or otherwise in our custody.

 

  • 8. Our responsibility for links to third parties

 

Our Platform may contain links to websites and services operated by third parties. If you follow a link to one of these websites or services, please note that these websites and services have their own privacy policies and terms and conditions. In addition, we have no responsibility for the information collected by third party websites and cannot be held responsible for the protection and privacy of any information you provide to those websites. You should read the relevant privacy notices and terms and conditions before using their websites or services.

 

  • 9. Age restriction 

 

DasLab does not permit the use of our Platform by persons under the age of 18 ("Minors"). If you learn that a Minor has unlawfully provided us with personal information, please contact us and we will take steps to delete that information.

By using our Platform, you represent and warrant that you are not a minor at the time you first access our Platform.

If you are a minor, you represent and warrant that you will access the Platform with the consent of a parent or guardian who is over 18 years of age and who accepts responsibility for your use of the Platform.

 

  • 10. Data transmission

 

We also use service providers based outside the European Economic Area (in the US). We have taken steps to ensure that adequate safeguards are in place to ensure the continued protection of your personal data, for example by entering into standard contractual clauses adopted by the European Commission (Article 46(2)(c) GDPR) and it should be noted that there is an adequacy decision (EU-U.S. Data Privacy Framework) for data transfers to the U.S. adopted by the European Commission on 10 July 2023. The adequacy decision concludes that the United States ensures an adequate level of protection compared to the EU for personal data transferred from the EU to U.S. companies participating in the EU-U.S. Data Privacy Framework.

We have with service providers located in third countries either a contract processing agreement pursuant to Art. 28 GDPR or joint responsibility pursuant to Art. 26 GDPR as well as standard contractual clauses (as mentioned above), depending on the contractual constellation.

 

  • 11. Your rights

 

If we are the controller of your personal data, the data subject rights of the GDPR set out below apply to you, provided the requirements are met.

You can exercise your rights as a data subject regarding the processing of personal data relating to you at any time by contacting us using the contact details provided at the beginning of this document. You have the right as a data subject:

  • to request information about your data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  • to demand the correction of incorrect or the completion of your data stored by us without delay in accordance with Art. 16 GDPR;
  • pursuant to Art. 17 GDPR to request the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
  • demand the restriction of the processing of your data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you or the processing is unlawful;
  • pursuant to Art. 20 GDPR to receive your data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller ("data portability");
  • object to the processing pursuant to Art. 21 GDPR, provided that the processing is based on Art. 6 (1) sentence 1 lit. e or lit. f GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, when exercising such an objection, we ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the merits of the case and either cease or adapt the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing;
  • in accordance with Art. 7 (3) GDPR to revoke your consent once given to us at any time, if you have given such consent. This has the consequence that we may no longer continue the data processing that was based on this consent in the future and
  • complain to a data protection supervisory authority about the processing of your personal data in accordance with Art. 77 GDPR. 

Most of these rights are not absolute and are subject to exceptions under applicable law. We will respond to any request to exercise your rights promptly and in any event within one month of receiving the request, but we have the right to extend this period in certain circumstances. If we extend the time limit for reply, we will inform you within one month of your request. If your request is manifestly unfounded or disproportionate, we reserve the right to charge a reasonable fee or refuse to respond. To exercise these rights, please submit a request to us by sending an email to contact@daslab.de.

 

  • 12. Updating the privacy policy

 

Due to changes in legal or official requirements as well as the further development of technical standards and our offer, adjustments to this data protection declaration may be necessary, which is why it is regularly checked for the need for changes or additions. The data protection declaration can therefore be changed at any time with effect for the future. 

This privacy policy is valid as of 1 June 2024.