The processing of personal data in accordance with the highest data protection standards is a central concern for us.
With this declaration, we inform you in accordance with Art. 13 DSGVO about all data processing that takes place in connection with PCR tests that we perform, among others, on behalf of the State of Tyrol.
If you have any questions, please do not hesitate to contact us using the contact details provided.

Article 13 DSGVO: Responsible
Novatium GmbH
FN 55269v, District Court Innsbruck
Kalkofenweg 24
A-6020 Innsbruck
e-mail: info@novatium.at
M: +43 6766617515

Article 13 DSGVO: Data Protection Officer
Mag. Dr. Kemal Cakar, LL.M.
Kalkofenweg 24
A-6020 Innsbruck
e-mail: info@novatium.at
M: +43 6766617515

Article 13 DSGVO: Purposes of processing and their legal basis
Purpose: Creation of a customer account

In order to use our services, it is necessary to create a customer account. For the creation you need to enter
– First name
– Surname
– e-mail address
on our website my.novatium.at.
Legal basis: We need this information to enable you to receive test kits and subsequently send you the test result in the customer area.
To create the account, we will send you an email to confirm and set a password.
With your e-mail address and password, you can then log into the customer area on our website.
The creation of the customer account is necessary for the fulfillment of the contract for the processing of the testing and is based on Art. 6 para. 1 lit. b DSGVO (contract initiation and fulfillment).
In addition, registration prevents the misuse of test kits and is therefore in our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO (legitimate interest).
Purpose: Creation of users
When you are logged in, you can create multiple users who can use the same customer account.
This is primarily to allow people who do not have a smartphone to access our services.
The following information is required to create a user:
– Gender
– First name
– Last name
– Birthday
– Social security number
– Travel document number
– E-mail Address
– Telephone Number
– Your Address
Legal basis: The data is necessary to provide you with free test kits and to subsequently assign and deliver the test result to you.
The social security number is necessary to check whether you are entitled to free test kits due to a valid health insurance and to prevent misuse.
The address is necessary to determine whether you have your domicile or residence in Tyrol, especially since the offer is limited exclusively to persons with domicile or residence in Tyrol.
E-mail address and telephone number are necessary to inform you about the existence of the test result.
The legal bases are the fulfillment of the contract according to Art. 6 para. 1 lit. b DSGVO (contract initiation and fulfillment), our legitimate interests in preventing abuse according to Art. 6 para. 1 lit. f DSGVO (legitimate interests), public interests according to Art. 6 para. 1 lit. e DSGVO in preventing abuse (public interests).
The collection of this data is also partly necessary to comply with our legal reporting obligation under the Epidemiegesetz Act.
In this respect, the legal manufacturing fact of Art. 6 para. 1 lit. c DSGVO (legal obligation) is present.
Purpose: Registration and execution of the test
With the number of the QR code or barcode on the test kit or by scanning the QR code with your camera, you can register a performed test in our system and hand it in at one of the return stations.
In this way, a link is made between the user of the customer account who performed the test and the specific sample.
In our system, the following additional categories of data are generated, linked and stored after the test is registered:
– Event number
– event ID
– Barcode
– QR code of the sample
(after the evaluation of the test) the findings, i.e. the result of the medical diagnostics.
Legal basis: We base this processing, in particular the preparation of the findings, on the grounds of medical diagnostics for the purpose of preventive health care and the existence of a public interest in the field of public health pursuant to Art. 9 (2) lit. h and i DSGVO. Among other things, we have the qualification of a natural science laboratory, which is allowed to carry out COVID-19 tests according to § 28c Epidemiegesetz.

Furthermore, the preparation of the result and the test result derived from it is our contractual core service, so that this processing is justified according to Art. 6 Para. 1 lit. b (contractual performance) and Art. 6 Para. 1 lit. f (legitimate interest).
It is pointed out that due to legal obligation according to § 2 para. 1 and § 3 para. 1 line 1a Epidemiegesetz, we are obliged to transmit certain personal data to the competent district administrative authority (health office) in case of a positive test result.
Based on legal obligation, these results are reported by us to the Epidemiological Reporting System (EMS) according to § 4 Epidemiegesetz and the Ordinance on Electronic Laboratory Reports to the Register of Notifiable Diseases (BGBl II 2013/184).
Purpose: Delivery of the test result
After evaluation of the sample, we will transmit your test result based on the generated report by sending a link to download the document via e-mail and/or via SMS.
The following data will be recorded on the test result:
– First name
– Surname
– date of birth
– Time when the test result was issued and whether the test result is positive or negative (“proven” or “not proven”)
Legal basis: The legal basis for the delivery of the test result is the fulfillment of our contractual obligation according to Art. 6 para. 1 lit. b DSGVO (fulfillment of contract).
The test result is also a health data and therefore a sensitive personal data according to Art. 9 (1) DSGVO.
The processing is only permissible if one of the reasons according to Art. 9 (2) DSGVO applies.
We base the implementation of the processing on the grounds of medical diagnostics for the purpose of preventive health care and the existence of a public interest in the field of public health pursuant to Art. 9 (2) lit. h and i DSGVO. The national legal basis is, among others, Section 28c and Section 4c (2) last sentence of the Epidemics Act and the relevant COVID-19 legislation.
For the rest, we refer to the explanations in the point above.
Purpose: General information about the website
We do not use cookies and do not process any personal data on our website beyond the processing operations listed above.
Purpose: General information about the iOS and Android app
The app functionality is to authenticate the app user, activate functions, prevent misuse and implement security measures, as well as to ensure server availability and minimize app crashes while scalability and performance improvement, and to perform efficient customer service.
The core function of the app is to
– proving that you are authorized to collect test kits;
– link submitted test samples to you, and
– Deliver test results to you electronically.
Use of our service is also available through the Novatium App for iOS and Android devices. To use the app, you must download and install it from the App Store/Play Store. The following collected data is linked to the user’s identity on our servers:
– Email address
– Gender
– First Name
– Last Name
– Birthday
– SV number/passport number
– Telephone number
– Street and house number
– City, postal code
– Country
– The following collected data is not linked to the user’s identity:
– Camera
– Exact location
– Approximate location
As far as we know, the fact that you have installed the app is linked to your Apple ID or Google account. Apple’s privacy policy can be found here and Google’s privacy policy can be found here.
In order to ensure the functionality of the app, basically the same data is processed as on the Novatium website. For the legal basis, please therefore refer to the other sections of this privacy policy.

Article 13 DSGVO: Recipients of personal data
District administrative authorities
Due to legal obligation according to § 2 para. 1 and § 3 para. 1 Z 1a Epidemiegesetz, we are obliged to transmit this data to the named recipient in case of a positive test result.
Legal basis: legal obligation according to Art. 6 para. 1 lit. c DSGVO and public interest in health according to Art. 9 para. 2 lit. i DSGVO in connection with § 10 para. 2 DSG.
Medical University of Innsbruck
Christoph-Probst-Platz 1
Innrain 52 A
Fritz Pregl Street 3
A-6020 Innsbruck
for the purpose of quality control and sequencing of positive test results to detect possible mutants of the COVID-19 virus.
Legal basis: public interest in the prevention and containment of the pandemic according to Art. 6 para. 1 lit. e DSGVO, legitimate interest in improving the quality of our services according to Art. 6 para. 1 lit. f DSGVO and public interest in health according to Art. 9 para. 2 lit. i DSGVO in connection with § 10 para. 2 DSG.

Land Tirol
Eduard-Wallnöfer-Platz 3
A-6020 Innsbruck
assumes the central coordination and control of contact follow-up in the event of positive test results in Tyrol, this in cooperation with the district administrative authorities.
For this purpose, the following data are transmitted: First name, last name, gender, date of birth, social security number, telephone number, address and number of the test.
Legal basis: public interest in the prevention and containment of the pandemic according to Art. 6 para. 1 lit. e DSGVO and public interest in health according to Art. 9 para. 2 lit. i DSGVO in connection with § 10 para. 2 DSG.

Brennercom Tirol GmbH
Eduard Bodem Lane 8
A-6020 Innsbruck
for the provision of IT infrastructure (hosting)

KBM Software GmbH
Clover Settlement 6/1
A-8077 Gössendorf
as order processor for our IT infrastructure

Cloudflare, Inc.
101 Townsend St
San Francisco
CA 94107, USA
provides services for us that ensure that our website is always available and accessible.
In this course, no personal data is transmitted to this processor.

Twilio Ireland Limited
25-28 North Wall Quay
Dublin 1, Ireland
as a service provider for the creation and transmission of e-mail messages.

OpenCage GmbH
Interface for querying a GEO location for a given address, whereby only the residential address is used for overview display on maps.

Other recipients
Due to the rapidly changing legal situation, we must reserve the right at this point to also transfer the data to other recipients, provided that there is a corresponding legal manufacturing circumstance according to Art. 6 and 9 DSGVO or new processors are involved.

Notwithstanding this, we will endeavor to keep this declaration up to date at all times.

Article 13 DSGVO: Transfer to third countries and, if applicable, statements in the case of international data transfers.
We do not transfer your data to third countries or to international organizations.

Article 13 DSGVO: Storage period
Obligation to retain data under tax law
according to § 132 Abs. 1 BAO: 7 years (Beyond that, as long as they are of importance for the tax authority in pending proceedings)

Retention obligation under company law
according to §§ 190, 212 UGB: 7 years

Retention obligation under sales tax law
for invoices according to § 11 para. 2 3rd subparagraph UStG: 7 years

Retention obligations under VAT law
for export documents according to § 7 para. 7 UStG: 7 years

Warranty
according to § 933 ABGB: 2 years

Purchase price claim for movable goods
according to § 1062 iVm § 1486 ABGB: 3 years

Claims for rent and leasehold interest
according to § 1486 ABGB: 3 years, beginning of period: from due date

Claims from a contract for work and services
according to § 1486 ABGB (if the service was rendered within the scope of a commercial or other business operation): 3 years

General compensation for damages
according to § 1489 ABGB (claims for compensation): 3 years (if damage and injuring party are known) /otherwise 30 years

Liability claims
according to § 13 PHG: 10 years

Negative and invalid test results
are stored for a period of two weeks and then completely anonymized.

Positive test results
are stored for documentation purposes for a period of six months, unless there is a need to keep the result longer in a specific individual case.

The data created during the creation of the account and individual users will be stored until the account or users are deleted via your request.

Article 13 DSGVO: Legal notice
You have the right to request confirmation as to whether personal data is being processed; if this is the case, you have a right of access to this personal data.
The following information is covered:
the purposes of processing;
the categories of personal data;
the recipients or categories of recipients;
if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
the existence of a right to rectification or erasure of the personal data concerned or to restriction of processing by the controller or a right to object to such processing;
the existence of a right of appeal to a supervisory authority;
Any available information about the origin of the data;
The existence of automated decision-making, including profiling.
You have the right to obtain from the controller the rectification of inaccurate personal data and the completion of incomplete personal data.

You have the right to request the controller to delete personal data immediately if one of the following reasons applies:
The personal data is no longer necessary for the purposes for which it was collected.
You withdraw your consent on which the processing was based in accordance with and there is no other legal basis for the processing.
You object to the processing (Art. 21(1) DSGVO) and there are no legitimate grounds for the processing or you object to the processing pursuant to Art. 21(2) DSGVO.
The personal data has been processed unlawfully.
The erasure of the personal data is necessary for compliance with a legal obligation.
The personal data has been collected in relation to information society services offered pursuant to Article 8(1).
The right to erasure does not exist insofar as the processing is necessary for the exercise of the right to freedom of expression and information;
for compliance with a legal obligation, for the performance of a task carried out in the public interest;
for reasons of public interest in the field of public health;
for archival purposes in the public interest, scientific or historical research purposes, or for statistical purposes for the establishment, exercise or defense of legal claims.
You have the right to request the restriction of processing if one of the following conditions is met:
the accuracy of the personal data is contested for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;
the controller no longer needs the personal data, but you need it for the assertion, exercise or defense of legal claims;
you have objected to the processing pursuant to Article 21(1), as long as it has not yet been determined whether the legitimate grounds of the controller prevail.
If the processing has been restricted, these personal data may – apart from being stored – only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
You have the right to receive the personal data you have provided to a controller in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that the processing is based on consent or on a contract and the processing is carried out with the help of automated procedures.
When exercising the right to data portability, you have the right to obtain that the personal data be transferred directly from one controller to another controller, where technically feasible.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data carried out on the basis of Article 6(1)(e) or (f) DSGVO;
this also applies to profiling based on these provisions.
The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you, or for the assertion, exercise or defense of legal claims.
If personal data are processed for the purpose of direct marketing, you have the right to object at any time to processing of personal data for such marketing;
this also applies to profiling, insofar as it is related to such direct marketing.

Article 13 DSGVO: Revocability of consent
You have the right to revoke consent based on Article 6(1)(a) or Article 9(2)(a) at any time without affecting the lawfulness of the processing until revocation.

Article 13 DSGVO: Right of complaint to a supervisory authority
You have the right to lodge a complaint with the
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
T.: 00431521522569
e-mail: dsb@gsb.gv.at
if you believe that the processing violates applicable data protection law.

Article 13 GDPR: Provision of personal data and possible consequences of non-provision.
We would like to point out that the provision of data is partly required by law or necessary for the performance of the contract. If you do not provide the data, we will not be able to provide our service to you.
Article 13 DSGVO: Automated decision-making including profiling
There is no automated decision making including profiling.