-
harambasicluka authoredCo-authored-by:
Mohamed Metwalli <mohamed.metwalli@sap.com>harambasicluka authoredCo-authored-by:Mohamed Metwalli <mohamed.metwalli@sap.com>
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
privacy_en.html 66.06 KiB
<p>
This privacy notice explains how your data is processed and what data
protection rights you have when using the German Federal Government’s
official coronavirus app, the Corona-Warn-App.
</p>
<p>
It covers the following topics:
</p>
<ol>
<li><strong>Who is the Corona-Warn-App published by?</strong></li>
<li><strong>Is using the app voluntary?</strong></li>
<li><strong>On what legal basis is your data processed?</strong></li>
<li><strong>Who is the app aimed at?</strong></li>
<li><strong>What data is processed?</strong></li>
<li><strong>Why is your data processed?</strong></li>
<li><strong>How does the transnational warning system work?</strong></li>
<li><strong>What permissions does the app require?</strong></li>
<li><strong>When will your data be deleted?</strong></li>
<li><strong>Who will receive your data?</strong></li>
<li><strong>Is your data transferred to countries outside the EU?</strong></li>
<li><strong>How can you withdraw your consent?</strong></li>
<li><strong>What other rights do you have under data protection law?</strong></li>
<li><strong>Data protection officer and contact</strong></li>
</ol>
<p>
To make sure that this text can be understood by all users, we have made
every effort to make it simple and as non-technical as possible.
</p>
<h2>
1. Who is the Corona-Warn-App published by?
</h2>
<p>
This app is published by the Robert Koch Institute (<strong>RKI</strong>)
for the German Federal Government. The RKI is also responsible for ensuring
that your personal data is processed in accordance with data protection regulations.
</p>
<p>
If, after testing positive for coronavirus, you use the app’s transnational warning feature, it
is also possible to warn users of official coronavirus apps of other countries whom you have
encountered. In this case, the RKI and the competent health authorities of the countries
participating in the respective transnational warning systems are so-called joint controllers,
meaning they are jointly responsible for data processing. Please refer to Section 7 for more
details.
</p>
<h2>
2. Is using the app voluntary?
</h2>
<p>
Using the app is voluntary. It is entirely up to you whether you install the app, which of the
app’s features you use, and whether you share data with others. All of the app’s features that
require the transfer of your personal data to the RKI or to other users will obtain your express
consent in advance. If you do not give your consent or if you subsequently withdraw it, this
will not result in any disadvantages for you.
</p>
<h2>
3. On what legal basis is your data processed?
</h2>
<p>
The RKI will only process your data if you have given your express consent beforehand. The legal
basis is Art. 6(1) Sentence 1(a) GDPR and, in the case of health data, Art. 9(2)(a) GDPR. After
giving your consent, you can withdraw it at any time (so-called right of withdrawal). Please
refer to Section 12 for further information about your right of withdrawal. On the basis of Art.
6(1) Sentence 1(e) GDPR in conjunction with Sect. 3 of the German Federal Data Protection Act (BDSG), the processing of access data for the provision of daily statistics (see Section 6 e.)
is performed as part of the RKI’s duty to inform the public pursuant to Sect. 4(4) of the Act on
Successor Agencies to the Federal Health Agency (BGA-NachfG).
</p>
<h2>
4. Who is the app aimed at?
</h2>
<p>
The app is aimed at people who are resident in Germany and at least 16
years old.
</p>
<h2>
5. What data is processed?
</h2>
<p>
The app’s entire system has been programmed to process as little personal data as possible. This
means that, when you use exposure logging, warn other users, or retrieve a test result, the
system does not need to collect any data that would allow the RKI or other users to infer your
identity, your name, your location or other personal details. The only exceptions to this are
the feature for proving a rapid test result, which allows you to display a confirmation issued
in your name for negative rapid test results (see Section 6 c.), and the feature for creating a
rapid test profile, which allows you to provide a testing point with the data required to
perform a rapid test (see Section 6 d.).
</p>
<p>
The app refrains by default from using analysis tools to evaluate the way you use it. Only if
you expressly agree to voluntarily share data or to record an error report and share it with the
RKI (see Sections 5 i. and 5 k.), will certain data about your use of the app be transmitted to
the RKI.
</p>
<p>
The data processed by the app can be grouped into the following categories:
</p>
<h3>
a. Access data
</h3>
<p>
Every time the app exchanges data over the internet with the RKI’s server
system (hereinafter referred to as the <strong>server system</strong>), the
server system processes so-called access data. This is necessary so that
the app can retrieve current data (e.g. for warnings) or transmit certain
data stored on your smartphone to the server system. This access data
includes the following:
</p>
<ul>
<li>
IP address
</li>
<li>
Date and time of retrieval
</li>
<li>
Transmitted data volume (or packet length)
</li>
<li>
Notification of whether the data exchange was a success.
</li>
</ul>
<p>
This access data is processed to maintain and secure the technical
operation of the app and the server system. You will not be identified
personally as a user of the app and no user profile will be created. Your
IP address will not be stored beyond the end of the usage procedure.
</p>
<p>
In order to prevent unauthorised parties from using your IP address to
associate your data with you when you use the app, the app only ever
accesses the server system via a special access server. This access server
then forwards the data requested or transmitted by the app to the
appropriate server, but without your IP address, meaning that your IP
address is no longer processed within the server system.
</p>
<h3>
b. Exposure data
</h3>
<p>
As soon as you enable your iPhone’s or your Android smartphone’s COVID-19
exposure notification system (which is called “Exposure Notifications” or
“COVID-19 Exposure Notifications” respectively), your smartphone transmits
so-called exposure data via Bluetooth, which other smartphones in your
vicinity can record. Your smartphone, in turn, also receives the exposure
data of other smartphones. The exposure data transmitted by your smartphone
comprises:
</p>
<ul>
<li>
Random identification numbers (hereinafter referred to as <strong>random IDs</strong>)
</li>
<li>
Bluetooth protocol version
</li>
<li>
Bluetooth transmit power in decibel-milliwatts (dBm).
</li>
</ul>
<p>
If exposure to another smartphone is recorded, the exposure data also
includes:
</p>
<ul>
<li>
Day, time and duration of the contact
</li>
<li>
Bluetooth signal strength in dBm.
</li>
</ul>
<p>
The random IDs are changed regularly. This helps prevent your
smartphone from being identified using these random IDs. The exposure
data transmitted by your smartphone and the exposure data recorded when
you come into contact with other app users are stored on your
smartphone and deleted after 14 days. The exposure data transmitted by
your smartphone is processed in the same way when it is recorded by the
smartphones of other app users.
</p>
<p>
Please note: the COVID-19 exposure notification system functionality is
part of your operating system. The providers responsible for this system
are therefore Apple (if you have an iPhone) and Google (if you have an
Android smartphone). In this respect, the data processing is subject to
these companies’ own privacy policies, which means that the RKI is not
responsible for this and has no influence on it. Depending on the version
and configuration of your operating system, the actual names, operating
steps and settings options may differ from those described in this privacy
notice. More information is available from the respective providers:
</p>
<ul>
<li>
If you have an Android smartphone, you can find information from Google
on your device by going to “Settings” > “Google” > “COVID-19 exposure notifications” and tapping on “Learn more”.
</li>
<li>
If you have an iPhone, you can find information from Apple on your
device by going to “Settings” > “Exposure Notifications” and tapping
on “How Exposure Notifications work ...”.
</li>
</ul>
<h3>
c. Rapid test data
</h3>
<p>
If you have taken rapid antigen tests at a testing point, you can retrieve the results of these
through the app. If you choose to use this service, your testing point will generate an
individual QR code for you to scan with the app. The QR code contains a unique code for your
rapid test, and the time you were tested, in encoded form. If, in the event of a negative rapid
test result, you wish to have the test result displayed along with your name in the app for
verification purposes (see Section 6 c. for more information about this feature), the QR code
will contain further data provided by you in encoded form.
</p>
<h3>
d. Rapid test profile
</h3>
<p>
You can store information about yourself in your rapid test profile in the app. The rapid test
profile includes the following fields: first name, last name, date of birth, street and house
number, postcode, town, phone number, email address. The app then converts your data into your
personal QR code, which contains all the data you have entered. Creating a rapid test profile in
the app, and using it at a testing point, are voluntary. You decide yourself which data you
enter in your rapid test profile. The QR code only contains this data. If the testing point
requires more information that is not contained in the QR code, you can also provide this to the
testing point in another way.
</p>
<h3>
e. Event data
</h3>
<p>
If you visit an event (such as a party or concert) or a place (such as a shop or restaurant),
you can record your stay there in the app. Event organisers and business owners can provide
guests with a QR code for this purpose.
</p>
<p>
As a guest, you can “check in” when you arrive by simply scanning this QR code with the app.
When leaving the event or place, you can “check out” again in the app. The app then remembers
that you were at that event or place, and when you were there. If a guest later tests positive
for coronavirus and activates the warning feature via their app, then all other guests who were
checked in at the same time will receive a warning.
</p>
<p>
If you scan a QR code as a guest, the event details provided by the host (name of the
event/place, address/location, typical length of stay and, if applicable, the time when the
event started) as well as the check-in time will be stored on your smartphone. In addition, your
app will derive an encrypted identifier (hereinafter referred to as the event ID) that can be
uniquely assigned to the event based on the information contained in the QR code. No conclusions
about the event or the place can be drawn from the event ID. When you check out in the app or
are automatically checked out after the time preset by the host, the check-out time will be
stored on your smartphone.
</p>
<p>
An entry will also be created in your contact journal by default. Sections 5 g. and 6.g. explain
this in more detail. If you do not want to create an entry in your contact journal for an event
or place, you can simply switch off this feature using the corresponding toggle switch.
</p>
<p>
If you as a host create a QR code for your guests, the event details you provide and a random
code will be stored in the QR code. The random code ensures that different places and events for
which the same event details have been entered will later have different event IDs. The QR codes
you create are stored on your smartphone. Under “My QR codes”, you can delete the QR codes you
have created at any time.</p>
<p>
Using the event check-in feature is voluntary. You decide yourself whether you want to create a
QR code for your event or place, and whether to check in at an event or place.
</p>
<p>
Under “My check-ins”, you can check and delete your previous check-ins and also adjust the
check-out time.
</p>
<h3>
f. Health data
</h3>
<p>
Health data is any data containing information about a person’s health.
This includes not only information about past and current illnesses, but
also about a person’s risk of illness (such as the risk that a person has
been infected with coronavirus). The app processes health data in the
following cases:
</p>
<ul>
<li>
When a possible exposure is identified
</li>
<li>
If you use the app to retrieve a test result
</li>
<li>
If you use the app to warn other users and guests from events or places you visited at the
same time that they may be infected
</li>
<li>
If you provide information about the onset of any coronavirus symptoms or
</li>
<li>
If you add digital vaccination certificates in the app.
</li>
</ul>
<p>
Section 6 explains this in more detail.
</p>
<h3>
g. Entries in the contact journal
</h3>
<p>
If you use the contact journal to note when and where you met certain people and record certain
details of the encounter or contact details for people and places, this information is stored in
encrypted form on your smartphone. The contact journal entries are only there to help you
remember. The RKI and other agencies cannot gain access to entries in the contact journal. The
contact journal can help you to keep track of your personal contacts over the last 14 days. If
you test positive for coronavirus and the public health office (Gesundheitsamt) requests your
assistance with contact tracing, then you can quickly provide the information it needs.
</p>
<p>
Using the contact journal is voluntary. You personally decide whether to store entries in the
contact journal. In this respect, you are also responsible for what you record. For this reason,
we kindly ask you to respect the privacy of the people you include in your contact journal. You
should not share your entries with third parties or via insecure communication channels. The
competent public health office will tell you what information it needs from you for contact
tracing purposes, and how you can provide it.
</p>
<h3>
h. Data about your COVID-19 vaccination
</h3><p>
In the app, it is possible to add your vaccination certificates that you received when you were
vaccinated. Requesting a digital vaccination certificate is voluntary. If you choose to use this
service, you will receive a printout with a QR code at the time of your vaccination. This will
contain the following data about your COVID-19 vaccination in encoded form:
</p>
<ul>
<li>
Personal data (last name, first name, date of birth)
</li>
<li>
Information about the vaccine (disease, vaccine, product, manufacturer)
</li>
<li>
Vaccination information (dose number, total doses, date of vaccination, country, issuer)
</li>
<li>
Unique certificate identifier.
</li>
</ul>
<p>
The data will be stored in the app as soon as you scan the QR code for the digital vaccination
certificate. This data will have been collected previously at the time of your vaccination.
</p>
<h3>
i. Usage Data (data sharing)
</h3>
<p>
If you enable data sharing, the app will transmit certain data about your use of the app
(hereinafter referred to as usage data) once a day to the RKI. This usage data concerns the
possible exposures displayed by the app, warnings that have been received and triggered, test
results that have been retrieved, and technical information about your smartphone’s operating
system. Specifically, the usage data includes:
</p>
<ul>
<li>The date when you shared the data (i.e. the date of transmission)</li>
<li>Changes to the warning history compared to the previous day</li>
<li>What risk status was shown to you at the time when you used the data sharing feature</li>
<li>Information about which encounters served as a basis on which to calculate the risk status
</li>
<li>Information about the model and version of your smartphone and the version of your app as
well as the operating system you are using.
</li>
</ul>
<p>
If you retrieved a test result via the app:
</p>
<ul>
<li>Whether the test result was positive or negative</li>
<li>What risk was shown to you at the time when you registered the test</li>
<li>How much time has passed since the last possible exposure and its display in the app until
the relevant test registration
</li>
<li>Whether you have used the feature for warning others and, if so, which step you reached in
the process (e.g. the part that asks about your symptoms)
</li>
</ul>
<p>
If you have used the warning feature:
</p>
<ul>
<li>Whether you provided information about the onset of symptoms</li>
<li>When you gave your consent to warn others (before or after registering the test)</li>
<li>Whether you completed the entire warning process or whether you aborted the process before
the end (for example, because you did not wait for confirmation that your data had been
successfully transmitted)
</li>
<li>How many hours it took before you received your test result after registering your test</li>
<li>How many days passed since the last notification of an elevated risk before the warning feature was used
</li>
<li>How many hours have passed since the test was registered.</li>
</ul>
<p>
In addition, you can provide further optional information about your region and age group, which
will be transmitted to the RKI together with the usage data.
</p>
<p>
The RKI will compile the usage data and any optional information into anonymised statistics and
analyse it to assess the effectiveness and functioning of the app, and draw conclusions
regarding the pandemic.
</p>
<p>
Participation in data sharing is voluntary. To enable the data sharing feature, the authenticity
of your app first needs to be confirmed (please note the further information about this under
Sections 5 l. and 11).
</p>
<h3>
j. Participation in a survey
</h3>
<p>
Some app users are offered to participate in a survey by the RKI. This offer to participate in
the survey will usually be contingent on certain events registered in the app (e.g. an elevated
risk being displayed). By taking part in the survey, you will help the RKI to assess the
effectiveness of the app, to improve the app and, for example, to understand whether and how
warnings sent via the app help to prevent further infections.
</p>
<p>
Participation in the surveys is voluntary. You decide yourself whether you want to participate
in a survey and whether data should be transmitted to the RKI for this purpose. The surveys take
place on a website outside of the app, which you will be redirected to. To enable participation
in a survey, the authenticity of your app first needs to be confirmed (please note the further
information about this in Sections 5 j. and 11).
</p>
<h3>
k. Contents of the error reports
</h3>
<p>
To assist the app’s technical support team with error analysis, you can record an error report
in the app. When you start recording the error report, a comprehensive record is made of
</p>
<ul>
<li>
the steps you take in the app
</li>
<li>
the technical steps and processes as well as status messages involving
<ul>
<li>
exposure logging (e.g. involving the functioning of the processing of exposure data,
the calculation of the risk of infection, the updating of the positive lists, the
display of the calculated risk status),
</li>
<li>
the retrieval and display of test results, and
</li>
<li>
possible processes for warning others (e.g. the calculation of transmission risk
values and the technical provision of your random IDs by your smartphone)
</li>
</ul>
</li>
</ul>
<p>
and stored on your smartphone. The error report may also contain health data, because the
technical steps and processes related to the detection of a possible exposure are also recorded.
</p>
<p> However, the error report does not contain information about QR codes for test registration, the
token stored in your app (see “Retrieving a test result” in Section 6 b. below) rapid test
results, vaccination certificates and entries in your contact journal. Furthermore, the error
report does not contain your name or other information with which the RKI can identify you.
</p>
<p>
You can stop recording the error report and delete the error report at any time. If you choose
to share the error report with the RKI, you will receive an identifier for your error report
(error report ID) via the app. The error report ID allows the RKI to assign your error report to
further information that you provide separately to the technical support team, e.g. if you also
wish to provide a description of the error by email. If you provide your error report ID to the
technical support team, it may be possible to establish a link to you based on this further
information.
</p>
<p>
Creating and sending an error report to the RKI is voluntary. You decide yourself whether you
want to record an error report and send it to the app’s technical support team. To send the
error report, the authenticity of your app first needs to be confirmed (please note the further
information about this in Sections 5 l. and 11).
</p>
<h3>
l. Confirmation of the authenticity of your app
</h3>
<p>
Before you can use some of the app’s features, the authenticity of your app first needs to be
checked and confirmed to the RKI. Specifically, this authentication serves to determine whether
you are using a manipulated or counterfeit (“fake”) version of the app. The authentication uses
a feature of your operating system. Your smartphone generates a unique identifier and sends it
to your operating system provider (if you use an Android smartphone, data is transmitted to
Google; if you use an iPhone, data is transmitted to Apple). The identifier contains information
about the version of your smartphone and the version of the app. It is possible for your
operating system provider to infer your identity from the identifier and learn that your
smartphone has been authenticated. Your operating system provider does not receive any other
information, such as exposure data, from the app. Your operating system provider will use the
identifier to confirm the authenticity of your app to the RKI. Using the feature for confirming
the authenticity of your app is voluntary. However, if you do not agree to having the
authenticity of your app confirmed, other features of the app may not be available to you.
</p>
<h2>
6. Why is your data processed?
</h2>
<h3>
a. Exposure logging
</h3>
<p>
Exposure logging is part of the app’s main functionality. It serves to warn you of
possible exposure to people who have tested positive for coronavirus (“possible
exposures”) in a number of different countries, to assess the risk that you have been
infected as a result of the exposure, and to provide you with health advice and
recommendations for what to do next.
</p>
<p>
For this purpose, the app retrieves an up-to-date positive list from the server system several
times a day. This list contains information from users who have used the warning feature in an
official coronavirus app (see Section 7). This positive list contains the random IDs of users
who have activated the warning feature and, if applicable, information about the onset of
symptoms. If the users who have activated the warning feature were checked in at events, the
positive list also contains the relevant event IDs and the duration of the check-ins (check-in
and check-out times).
</p>
<p>
The random IDs and event IDs on the positive lists also contain a transmission risk value and an
indication of the type of diagnosis (see Section 6 e.).
</p>
<p>
The app passes the random IDs from the positive list to the COVID-19 exposure notification system, which compares them with the random IDs it has recorded
from your encounters with other users. If the COVID-19 exposure notification
system detects a match, it transfers to the app the exposure data recorded
for the possible exposure in question.
</p>
<p>
Similarly, the app matches event IDs from the positive list with the event IDs from your
check-ins to determine whether you were at an event or place at the same time as users who have
tested positive for coronavirus.
</p>
<p>
The app evaluates this exposure data, event IDs (including the associated check-in and check-out
times) as well as the information on the positive lists (transmission risk value; information
about the onset of symptoms) in order to determine your risk of infection. The rules for
evaluating this information (for example, how the duration of a contact influences the risk of
infection) are based on the RKI’s latest scientific findings. In the event of new findings, the
RKI can update the evaluation rules by adjusting the evaluation settings in the app. In this
case, the new evaluation settings are sent to the app together with the positive lists.
</p>
<p>
The risk of infection is calculated exclusively offline in the app and is not
passed on to the COVID-19 exposure notification system or any other recipient
(including the RKI, other health authorities in Germany or other countries,
Apple, Google and other third parties).
</p>
<p>
If a risk of infection is identified for you, this will be displayed in the app. If an elevated
risk is displayed, this means that you encountered one or more other users who later tested
positive for coronavirus and used the warning feature in their app, or that such users were
checked in at an event or place at the same time as you.
</p>
<p>
The risk calculated for each of the last 14 days is displayed in the calendar view of the
contact journal. Please refrain from drawing false conclusions about the source of any risk: a
risk calculated and displayed for a certain day may well be due to your having encountered users
unknown to you without realising it, and will not necessarily have anything to do with the
people, places or events you recorded in the contact journal.
</p>
<h3>
b. Retrieving a test result
</h3>
<p>
If you have taken a coronavirus test (PCR test or rapid antigen test), you can retrieve your
test result via the app. The app will notify you as soon as your test result is available. For
this to work, the testing facility (e.g. testing laboratory or testing point) needs to be
connected to the server system and, as part of the testing procedure, you must have given
separate consent to your test result being sent. It is not possible to display test results from
testing facilities that are not connected to the app’s server system. If you have not received a
QR code, then you cannot use this feature either.
</p>
<p>
<u>Scanning the QR code</u>
</p>
<p>
In order to retrieve your test result via the app, you will need to scan the QR code using your
smartphone’s camera. The QR code contains a code number that is read during scanning and is
assigned to your test. If the test is a rapid antigen test, then the QR code will also contain
the rapid test data described in Section 5 c. After reading the code number, the app ‘hashes’
it. This means that the app performs a certain mathematical procedure in order to convert the
code number in such a way that it can no longer be identified. However, it is still possible to
clearly assign the hashed code number to your test result. As soon as your smartphone is
connected to the internet, the app will transmit the hashed code number to the server system.
The server system then provides a digital access key (a so-called token), which is stored in the
app. The token is linked to the hashed code number in the server system. The app now deletes the
code number that has been hashed on your smartphone and keeps only the token. Once the QR code
has been used in this way, it becomes invalid and can no longer be used by anyone. This ensures that no other users can use your QR code to retrieve your test result.
</p>
<p>
<u>Filing of the test result</u>
</p>
<p>
As soon as your test result is available, the testing facility stores it in the RKI’s test
result database using only the hashed code number. The test result database is located on a
special server within the server system. The testing facility generates the hashed code number
based on the same QR code that you received.
</p>
<p>
<u>Retrieval of the test result</u>
</p>
<p>
Using the token stored in the app, the app regularly requests the status of your test from the
server system. The server system then informs the app of the current status (result not yet
available / result available). As soon as your test result is available, the outcome (i.e.
whether you have tested positive or negative for coronavirus) is also transmitted to the app. If
you have enabled the test status notification (under “Settings” > “Notifications”), you will
be notified. The test result will not be displayed until you open the app.
</p>
<p>
If you have tested positive for coronavirus, the app uses the token again to request a TAN
(transaction number) from the server system. The TAN is required to ensure that no false
warnings are transmitted to other users. For this purpose, the server system reassigns the token
to the hashed code number and requests confirmation from the test result database that a
positive test result really does exist for the hashed code number. If this is confirmed, the
server system generates the TAN and transmits it to the app. A copy of the TAN remains on the
server system.
</p>
<h3>
c. Proof of a rapid test result
</h3>
<p>
If you retrieve the result of a rapid antigen test and, when you were at the testing facility,
you selected the option to have your name displayed in the event of a negative test result, then
a negative result will be displayed along with your name, date of birth and the time you were
tested. To do this, the app uses the corresponding rapid test data which it reads when scanning
the QR code. The rapid test data will be deleted as soon as the negative rapid test result is no
longer displayed in the app.
</p>
<p>
If necessary, you can show the test result displayed in the app to prove to third parties that
you took a rapid test and the result of that test was negative. Please find out about applicable
requirements for the recognition of digital test certificates where you are located. Please
note:
</p>
<ul>
<li>The RKI cannot guarantee that a rapid test result displayed in the app will be recognised by
the competent authorities and other authorised bodies that may or must require you to
provide proof of testing (e.g. shops, employers).
</li>
<li>You are not obliged to use the app’s certification feature. If you have to prove your test
result to third parties, you can also present the proof in another form subject to the legal
requirements (which may vary depending on the federal state).
</li>
</ul>
<p>
Your name will not be displayed if you retrieve a positive rapid test result. In this case, your
name and date of birth will be immediately deleted from the app memory. Your other rapid test
data (code, time you were tested) will be deleted as soon as the positive rapid test result is
no longer displayed in the app.
</p><h3>
d. Rapid test profile
</h3>
<p>
The rapid test profile feature offers you the possibility to speed up data collection at
participating testing points. To do this, you can store information about yourself in your rapid
test profile in the app and convert it into your personal QR code, which contains all the data
you have entered. At the testing point, you can present your rapid test profile’s QR code in
your app so that it can be scanned by testing point staff, allowing the data you have provided
to be read. This is a quick and secure way for you to provide the data required to perform a
rapid test. You decide yourself which data you include in your rapid test profile and whether to
present it at testing points. If the testing point requires information that is not contained in
the QR code, you can provide the information to the testing point in another way.
</p>
<h3>
e. Warning others
</h3>
<p>
If you have tested positive for coronavirus and share your random IDs with the app, then it is
possible to warn other users whom you have encountered. In addition, users who were checked in
at the same events or places at the same time as you will be warned. In this case, the app
transmits the following data to the server system:
</p>
<ul>
<li>
Your own random IDs from the last 14 days
</li>
<li>
The event IDs of events or places where you have checked in during the last 14 days,
including the recorded check-in and check-out times
</li>
<li>
Any information about the onset of symptoms
</li>
<li>
Your TAN (see Section 6 b.).
</li>
</ul>
<p>
Before passing on your test result (more precisely: before transmitting your random IDs and
event IDs, including the recorded check-in and check-out times) to the server system, the app
adds a transmission risk value to the data and also specifies the type of test performed. The
transmission risk value is an estimate of how infectious you were on each day of the 14-day
period. Since how infectious a person is or was depends on the duration and course of the
infection, it can be taken into account, for example, that the more time has passed since the
onset of symptoms, the lower the risk of a person spreading the virus on the day of a possible
exposure. These additional transmission risk values allow a more precise determination of the
likelihood that you have infected other users.
</p>
<p>
The information requested by the app about the onset of symptoms is optional. However, this
information may help to calculate the transmission risk value even more accurately. If you do
not provide information about your symptoms, then the transmission risk values will be
calculated assuming a typical case of infection with coronavirus, i.e. the more time has passed
since a random ID was used, the lower the associated transmission risk value.
</p>
<p>
<u>If you have not retrieved your test result in the app:</u>
</p>
<p>
In the event of a positive rapid antigen test result, you can only warn other people if you
retrieved the test result in the app.
</p>
<p>
In the event of a positive PCR test result, on the other hand, you can warn others even if you received the test result outside the app. To do this, select the “Request TAN” procedure. The
app will then prompt you to call the app hotline. A hotline worker will then ask you a few
questions to make sure that you really have tested positive for coronavirus. This is to prevent
false warnings being transmitted, either by accident or intentionally. Once you have answered
these questions sufficiently, you will be asked for your mobile/telephone number and your name.
This is so that you can be called back later and given a unique TAN to enter in the app. Your
mobile/telephone number and your name will be temporarily stored for this purpose only and
deleted after an hour at the latest. Immediately after your call, the hotline worker will
generate a unique TAN via a special access to the server system and then call you back to tell
you this TAN. A TAN is only valid for one hour and will therefore be deleted no later than one
hour after it has been passed on to you. After a valid TAN is entered in the app, it is
transmitted to the server system. The TAN thus makes it possible to check that a positive test
result really does exist and thus prevent false alarms. The app then receives a token from the
server system, as it does after a valid QR code is scanned (see “Retrieving a test result” in
Section 6 b. above).
</p>
<p>
Please note that in rare cases, if you use the warning feature, people you know personally who
also use the app and then receive a warning, may infer that the warning came from you. This may
be the case if a person whom you know had no contact with anyone except with you on the day for
which the possible exposure is displayed.
</p>
<h3>
f. Using the app for information purposes only
</h3>
<p>
The app automatically receives the daily statistics that appear in the app
via the server system. This generates access data. Websites linked in the app, such as
<a href="http://www.bundesregierung.de/">www.bundesregierung.de</a>, are
opened and displayed in your smartphone’s standard browser (Android
smartphones) or within the app (iPhones). Which data is processed in this context depends on the
respective providers of the websites accessed.
</p>
<h3>
g. Contact journal
</h3>
<p>
The contact journal is an additional feature of the app. What you enter in the contact journal
serves as a reminder for you, and can only be accessed by you. If you later test positive for
coronavirus and the public health office (Gesundheitsamt) requires your assistance with contact
tracing, then you can provide the information that it needs more quickly. If the app calculates
an elevated risk for you for a particular day, then seeing this information may help you to warn
the people you have had contact with early on. This will give your contacts the chance to decide
whether to change their plans if necessary, i.e. to meet up with fewer people and thus reduce
the risk of causing undetected infections.
</p>
<h3>
h. Digital vaccination certificate
</h3>
<p>
The app allows you to save your vaccination certificates and keep them with you in digital form.
If necessary, you can then use the app to prove that you have been fully vaccinated against
coronavirus if required by law.
</p>
<p>
To add a vaccination certificate in the app, scan the QR code you received when you were
vaccinated. The app will read the information about your vaccination from the QR code and store
it in a secure area on your smartphone.
</p>
<p>
Fourteen days after receiving the last vaccination dose required, the home screen in the app
will show that you are fully vaccinated. To prove this, you can show the QR code from your
digital vaccination certificate, which will be displayed in the app. The official verification
app can be used to scan this QR code and read the information about your COVID-19 vaccination. The verification app will then show whether you are fully vaccinated. In addition, your name and
date of birth will also be displayed so that the person verifying your vaccination status can
check this information against your official identification document.
</p>
<p>
Please note that using the feature for saving your vaccination certificates in the app is
voluntary. If you are required by law to prove that you have been vaccinated, then you can also
do this in other ways.
</p>
<p>
Please note that the QR code from your digital vaccination certificate contains your COVID-19
vaccination details. You should only show it if you wish to prove your vaccination status. Do
not provide vaccination certificates or QR codes to anyone if you do not want the data to be
read.
</p>
<h3>
i. Data sharing
</h3>
<p>
Data sharing is an additional feature of the app. The usage data and other voluntary information
transmitted to the RKI by the data sharing feature are used to assess the effectiveness of the
app and enable the following improvements:
</p>
<ul>
<li>
Improving exposure logging – The aim is to improve the accuracy and reliability of the
technical calculation of risks of infection. For this purpose, information about possible
exposures and warnings displayed to you is analysed. The calculation method can then be
fine-tuned.
</li>
<li>
Improving app navigation for users – The aim is to make it easier to use the app. For this
purpose, information about the individual steps that users take in the app is analysed. This
makes it possible to make labels and texts clearer, and buttons can be placed in such a way
that they can be found more easily. In addition, displays can be customised for different
smartphone models.
</li>
<li>
Providing information and assistance with the app – The aim is to identify whether there are
problems when the app is used, for example with certain testing facilities and laboratories
or in certain regions. This can be determined if, for example, the data sharing feature
reveals that test results are available later in certain regions than in others. In this
way, the competent health authorities can also be specifically informed of potential
technical disruptions.
</li>
<li>
Improving statistics about the pandemic – The data can provide information about the
temporal and spatial distribution of certain events in the pandemic and allow the
authorities to respond more quickly to certain developments.
</li>
</ul>
<p>
The usage data and other voluntary information will be stored and analysed without any
connection to your name or identity. This means the RKI will not find out who you are or who you
have met.
</p>
<h3>
j. Error reports
</h3>
<p>
The RKI strives to offer a bug-free app. However, due to the large number of different systems
involved, this cannot always be guaranteed. To assist the app’s technical support team with
error analysis, you can send the error report that has been recorded in your app to the RKI. The
RKI will analyse the error report in order to be able to identify and eliminate the cause of the
errors that occur in your app.
</p>
<p>
For the error analysis, the error reports will be temporarily stored and analysed without any
connection to your name or identity. This means the RKI will not find out who you are or who you have met. Please note that if you provide your error report ID to the technical support team
(e.g. by email), this may reveal information about your identity.
</p>
<h3>
k. Surveys
</h3>
<p>
The surveys take place on a website outside of the app, which you will be redirected to. The app
will not transmit any data to the RKI in connection with the surveys. The purposes of an RKI
survey are described in the information about the survey on the survey website.
</p>
<h3>
l. Confirmation of the authenticity of your app
</h3>
<p>
A feature of your smartphone’s operating system is used to confirm the authenticity of your app.
This ensures that only app users whose app is functioning properly can share their data or
participate in surveys. This prevents the statistics and survey results from being distorted.
</p>
<p>
Please note that your operating system provider may be able to tell that your smartphone has
been authenticated and may therefore be able to infer your identity. However, your operating
system provider will not receive any further information about your use of the Corona-Warn-App.
</p>
<h2>
7. How does the transnational warning system work?
</h2>
<p>
To ensure that users are also warned by the official coronavirus apps of
other countries, the RKI, together with several official healthcare bodies
and authorities in other countries (hereinafter referred to as <strong>health
authorities</strong>) has set up central warning servers
for sharing warnings between countries (hereinafter referred to as the <strong>exchange
server</strong>).
</p>
<ul>
<li>The exchange server of the participating countries among European Member States uses the
digital infrastructure of the eHealth Network established between the Member States and the
EU.
</li>
<li>In order to also enable warnings between users of the Swiss coronavirus app and the
Corona-Warn-App, the RKI also operates another exchange server together with Switzerland
(Federal Office of Public Health of the Swiss Confederation).
</li>
</ul>
<p>
The national server systems of the coronavirus apps connected to the exchange servers regularly
transmit their own positive lists to the exchange servers and receive the positive lists of the
other countries. Transnational warnings can only be transmitted based on a positive PCR test and
only based on encounters recorded in the COVID-19 exposure notification system. Event IDs and
random IDs based on positive rapid antigen tests are therefore not transmitted to the exchange
servers.
</p>
<p>
Each server system merges the positive lists received in this way with its
own positive list, which allows the exposure logging feature to also
take into account possible exposures involving users of another coronavirus
app (see point 6 e.) The other participating countries proceed in the same
way with the positive lists provided by the RKI.
</p>
<p>
Only countries whose coronavirus apps are compatible with each other and
which guarantee a comparably high level of data protection can participate
in the exchange servers. In particular, this requires that the coronavirus apps of the participating countries also use the COVID-19
exposure notification system, are approved by the respective national
health authorities, and respect the privacy of their users.
</p>
<ul>
<li>The technical and organisational details of this cooperation concerning the exchange server
operated within the EU are laid down in an EU Commission Decision (Commission Implementing
Decision (EU) 2020/1023 of 15 July 2020, which is available at <a
href="https://eur-lex.europa.eu/eli/dec_impl/2020/1023/oj">
https://eur-lex.europa.eu/eli/dec_impl/2020/1023/oj</a>). Under it, together with the
respective competent health authorities of the participating countries, the RKI is a joint
controller under data protection law, meaning it is responsible for processing the
information contained on the positive lists (random IDs and, if applicable, information
about the onset of symptoms) on the exchange servers in order to enable the transnational
exposure logging and warning system.
</li>
<li>The operation and data exchange of the joint exchange server with Switzerland is regulated
in an individual agreement between the RKI and Switzerland, available at <a
href="https://www.rki.de/DE/Content/InfAZ/N/Neuartiges_Coronavirus/WarnApp/Warn_App.html">
https://www.rki.de/DE/Content/InfAZ/N/Neuartiges_Coronavirus/WarnApp/Warn_App.html</a>.
Under the agreement, the technical operation of the exchange server is carried out by the
Federal Office of Public Health of the Swiss Confederation. Together with the Federal Office
of Public Health of the Swiss Confederation, the RKI is a joint controller under data
protection law, meaning it is responsible for the storage, provision and subsequent erasure
of the positive lists.
</li>
</ul>
<p>
Please note that the list of participating countries is subject to change.
The current list, with details of the competent health authorities in each
case, can be found in the FAQs available at
<a href="https://www.coronawarn.app/en/faq/#interoperability_countries">
https://www.coronawarn.app/en/faq/#interoperability_countries</a>
.
</p>
<h2>
8. What permissions does the app require?
</h2>
<p>
The app requires access to a number of your smartphone’s features and
interfaces. For this purpose, you need to grant the app certain
permissions. The permission system depends on your operating system’s
specifications. For example, your smartphone may combine individual
permissions into permission categories, where you can only agree to the
permission category as a whole. Please note that without the permissions
requested by the app, you will not be able to use some or all of the app
features.
</p>
<h3>
a. Technical requirements (all smartphones)
</h3>
<ul>
<li>
The app requires an internet connection in order to exchange data with
the server system.
</li>
<li>
The Bluetooth feature must be enabled so that your smartphone can
transmit its own random IDs and record the random IDs of other
smartphones.
</li>
<li>
The app needs to be able to run in the background on your smartphone in
order to automatically identify your risk of infection and check the
status of your test. If you deny the app permission to run in
the background, then you must start all actions in the app itself.
</li></ul>
<h3>
b. Android smartphones
</h3>
<p>
If you are using an Android smartphone, the following system features must
also be enabled:
</p>
<ul>
<li>
The Android COVID-19 exposure notification system (COVID-19 Exposure
Notifications)
</li>
<li>
If you have a smartphone running on Android version 10 or lower,
location services need to be enabled for your smartphone to search for
Bluetooth signals from other smartphones. Please note that no location
data is collected in this process.
</li>
<li>
The notification feature must be enabled so that you can be notified of changes to your risk
of infection and the status of test results. The notification feature is enabled by default
in the operating system.
</li>
</ul>
<p>
The app also requires the following permissions:
</p>
<ul>
<li>
The features for retrieving a test result and checking in at an event require access to the
camera in order to scan QR codes.
</li>
</ul>
<h3>
c. iPhones (Apple iOS)
</h3>
<p>
If you are using an iPhone, the following system features must be enabled:
</p>
<ul>
<li>
The iOS COVID-19 exposure notification system (Exposure Notifications)
</li>
<li>
Notifications must be enabled so that you can be notified of changes to
your risk of infection and the status of your test.
</li>
</ul>
<p>
The app also requires the following permissions:
</p>
<ul>
<li>
The features for retrieving a test result and checking in at an event require access to the
camera in order to scan QR codes.
</li>
</ul>
<h2>
9. When will your data be deleted?
</h2>
<p>
The storage period depends on the purposes or app features for which your data has been stored.
When determining the storage period, the RKI takes into account the latest scientific findings
on the incubation period (i.e. the period between exposure to infection and the appearance of
the first symptoms, which is up to 14 days) as well as on how long there is a risk of an
infected person infecting someone else after the end of the incubation period. Unless otherwise specified under Section 6, the following storage periods apply:
</p>
<h3>
a. Data on your smartphone
</h3>
<p>
The positive lists are deleted from the app memory after 14 days. Event data under “My
check-ins” is automatically deleted after 14 days. Alternatively, you can delete entries under
“My check-ins” manually at any time. The infection risk determined for you (e.g. “low risk”) is
deleted from the app memory after each update, but after 14 days at the latest. If you have
retrieved a positive test result, the token in the app memory is deleted as soon as you activate
the warning feature. Your entries in the contact journal will be stored on your smartphone for
16 days before being automatically deleted. You can also delete these entries yourself at any
time. Please note that if entries are added to the contact journal when you check in at an event
or place, these will still be stored there even after you delete the associated check-in. Once
you have created your rapid test profile, it will be stored in the app until you delete it
yourself. Once you have scanned your vaccination certificates, these will also be stored in the
app until you delete them yourself.
</p>
<h3>
b. Data on server systems
</h3>
<p>
Positive lists are deleted from all server systems (including the exchange server) after 14
days. All other data, with the exception of data transmitted by the data sharing feature and to
confirm the authenticity of your app, will be deleted after 21 days at the latest.
</p>
<h3>
c. Data sharing
</h3>
<p>
Usage data and other voluntary information transmitted to the RKI by the data sharing feature
will be deleted after 180 days.
</p>
<h3>
d. Error reports
</h3>
<p>
You can delete a recorded error report on your smartphone at any time. Error reports that you
have sent to the technical support team will be deleted after 14 days at the latest.
</p>
<h3>
e. Confirmation of the authenticity of your app
</h3>
<p>
The identifier generated by your smartphone to confirm the authenticity of your app will be
deleted from the server system after 30 days after transmission to the RKI.
</p>
<h2>
10. Who will receive your data?
</h2>
<p>
If you warn other users of a positive PCR test via the app, your test result (in the form of
your random IDs from the last 14 days) as well as optional information you provide about the
onset of your symptoms will be forwarded to the competent health authorities of each of the
countries participating in the exchange servers. From there, they will be passed on to the
server systems of the coronavirus apps of those countries participating in the transnational
warning system. The server systems of the national coronavirus apps then distribute this
information to their own users as part of the positive lists. Event IDs are only distributed to
users of the Corona-Warn-App via the RKI’s server system. In the event of a warning based on a
positive rapid antigen test, your data will not be passed on to the exchange servers.
</p><p>
The competent national health authorities have commissioned the EU Commission, as data
processor, to operate and maintain the joint exchange server of the participating EU countries.
The exchange server for transnational warnings between the Corona-Warn-App and the Swiss
coronavirus app is operated and maintained by the Federal Office of Public Health of the Swiss
Confederation in consultation with the RKI.
</p>
<p>
The RKI has commissioned T-Systems International GmbH and SAP Deutschland
SE & Co. KG to operate and maintain part of the technical
infrastructure of the app (e.g. server system, hotline), meaning that these
two companies are processors under data protection law and acting on the
RKI’s behalf. The EU Commission has also commissioned these companies, as
sub-processors, with the technical provision and management of the
participating countries’ joint warning system.
</p>
<p>
Otherwise, the RKI will only pass on your data collected in connection with
your use of the app to third parties if the RKI is legally obliged to do so
or if this is necessary for legal action or criminal prosecution in the
case of attacks on the app’s technical infrastructure. In other cases,
personal data will not generally be passed on by the RKI.
</p>
<h2>
11. Is your data transferred to countries outside the EU?
</h2>
<p>
If you activate the warning feature based on a positive PCR test, your random IDs will also be
transmitted to Switzerland to the exchange server that is operated by the RKI together with the
Federal Office of Public Health of the Swiss Confederation. In the event of a warning based on a
positive rapid antigen test, no such transmission of your data will take place.
</p>
<p>
In addition, the confirmation of the authenticity of your app may involve the transfer of data
to a country outside the EU. The identifier generated by your smartphone, which contains
information about the version of your smartphone and the app, will be transmitted to the
provider of your smartphone’s operating system (Apple or Google). This may result in data being
transferred to third countries, in particular the US. There, the level of data protection may
not be considered equivalent under European law and it may not be possible to enforce your
European data protection rights. In particular, there is a possibility that once the transmitted
data reaches the operating system provider, it may be accessed and analysed by security
authorities in the third country, for example by linking the data with other information.
However, this only concerns the submitted identifier. It does not concern other information from
the app, such as exposure data.
</p>
<p>
Otherwise, the data transmitted by the app is processed exclusively on servers in Germany or in
another country in the EU (or the European Economic Area), which are therefore subject to the
strict requirements of the General Data Protection Regulation (GDPR).
</p>
<h2>12. How can you withdraw your consent?
</h2>
<p>
You have the right to withdraw any consent you granted the RKI in the app at any time with
effect for the future. Please note, however, that any processing of your data that has already
been carried out cannot be reversed. In particular, once your random IDs have been transmitted,
the RKI has no way of deleting these from other users’ smartphones.
</p>
<h3>
a. Consent to "exposure logging"
</h3>
<p>
You can withdraw your consent to the app’s exposure logging feature at any time by disabling the
feature in the app’s settings or by deleting the app. If you would like to use the exposure
logging feature again, you can re-enable the feature or reinstall the app.
</p>
<h3>
b. Consent to “retrieving a test result”
</h3>
<p>
You can withdraw your consent to the test result retrieval feature by displaying the test in the
app and then deleting it. The token for retrieving the test result will consequently be deleted
from the app memory, so that the token can no longer be assigned on the server system. It is not
possible to assign the same test to your app again or to scan the same QR code again. If you
have been tested again and wish to retrieve the test result, you will be asked for your consent
again. If the test result is already available in the app, then you can no longer withdraw your
consent.
</p>
<h3>
c. Consent to “warning others”
</h3>
<p>
If you would like to withdraw your consent to the transmission of your test result (or, more
precisely, your consent to the transmission of your random IDs and event IDs, including the
recorded check-in and check-out times, from the last 14 days) for warning other people, you can
display the test and then disable “Warn others”. You can also delete entries for events or
places under “My check-ins” and thus prevent data for these events from being used for warnings.
This option is available as long as you have not yet transmitted your random IDs and event IDs
to warn other users.
</p>
<p>
After you have transmitted your random IDs, you can only withdraw your consent by deleting the
app. Your random IDs already transmitted to the server system will consequently be deleted from
the app memory and can no longer be assigned to you personally or your smartphone. If you wish
to activate the warning feature again, you will need to reinstall the app and give your consent
again. Once a test result has been assigned to your app and transmitted in order to warn others,
it cannot be used again to warn others.
</p>
<p>
If event IDs have already been transmitted to the server system, you can also delete them from
the app memory, by deleting the entries for the events or places under “My check-ins”. Event IDs
can then no longer be assigned to you personally or your smartphone.
</p>
<p>
Once your random IDs, event IDs and transmission risk values have been transmitted, the RKI has
no way of deleting them from the positive lists distributed by the server system or from users’
smartphones. If you also wish to delete your exposure data stored in your smartphone’s COVID-19
exposure notification system, you may be able to manually delete it in your smartphone’s system
settings. Please also note the information in Section 5 b.
</p>
<h3>
d. Consent to “event check-in”
</h3>
<p>
You can delete entries for events or places at any time under “My check-ins”. This will prevent
data about these events from being used by the feature for warning others, and event IDs from
being assigned to you personally or your smartphone.
</p>
<h3>
e. Consent to “data sharing”
</h3>
<p>
You can withdraw your consent to the data sharing feature at any time by disabling the data sharing feature in the app’s settings. The app will then no longer transmit your usage data and
other voluntary information to the RKI on a daily basis. If you would like to allow data sharing
again, you can re-enable the feature in the settings.
</p>
<h3>
f. Consent to “error reports”
</h3>
<p>
You can withdraw your consent to the analysis of error reports already submitted to the RKI by
informing the technical support team that you no longer wish to have the error report analysed,
stating your error report ID. Your error report will then be deleted. Please note that the RKI
may learn your identity in the process. If you do not provide your error report ID to the
technical support team, the submitted error report will be automatically deleted after 14 days.
</p>
<h3>
g. Consent to “survey participation”
</h3>
<p>
You do not give your consent to participate in an RKI survey in the app, but via the website on
which the survey is conducted. There you will also find information about how you can withdraw
your consent.
</p>
<h3>
h. Consent to “confirmation of the authenticity of your app”
</h3>
<p>
If you withdraw your consent to the confirmation of your app’s authenticity, this will not
directly affect the related data processing. The transmission of the identifier generated by
your smartphone to the operating system provider, and the verification and confirmation of the
authenticity of your app, take place immediately after you have given your consent.
</p>
<h2>
13. What other rights do you have under data protection law?
</h2>
<p>
If the RKI processes your personal data, you also have the following data
protection rights:
</p>
<ul>
<li>
The rights under Art. 15, 16, 17, 18, 20 and 21 GDPR,
</li>
<li>
the right to contact the official
<a href="https://www.rki.de/DE/Content/Institut/OrgEinheiten/Datenschutz/Datenschutz_node.html">
RKI data protection officer</a>
and raise your concerns (Art. 38(4) GDPR) and
</li>
<li>
the right to lodge a complaint with a data protection
supervisory authority. To do so, you can either contact your local
supervisory authority or the authority responsible for the RKI. The
supervisory authority responsible for the RKI is the Federal
Commissioner for Data Protection and Freedom of Information,
Graurheindorfer Straße 153, 53117 Bonn.
</li>
</ul>
<p>
You also have these data protection rights vis-à-vis the health authorities responsible for data
processing in the countries participating in the exchange server, insofar as you have
transmitted your random IDs from recent days to warn other people (see Section 7).
</p>
<p>
Please note that the rights mentioned above can only be fulfilled if the data on which your claim is based can be clearly assigned to you. This
would only be possible if the app were used to collect further personal
data that would allow the data transmitted to the server system to be
clearly assigned to you or your smartphone. Since this is not necessary for
the purposes of the app, the RKI is not obliged to collect such additional
data (Art. 11(2) GDPR). Moreover, this would run counter to the stated
objective of collecting as little data as possible. For this reason, it
will generally not be possible to fulfil the above data protection rights
even if you provide additional information about your identity.
</p>
<h2>
14. Data protection officer and contact
</h2>
<p>
If you have any questions or concerns regarding data protection, you are
welcome to send them to the RKI’s official data protection officer by post
to Robert Koch-Institut, FAO the data protection officer, Nordufer 20,
13353 Berlin, or by emailing <a href="mailto:datenschutz@rki.de">datenschutz@rki.de</a>.
</p>
<p>
Last amended: 28 May 2021
</p>