Data protection

Data Protection Notice

1. Introduction

Ecolog is a worldwide leader in the field of logistic solutions. This Data Protection Policy (hereinafter referred to as “Policy”) explains the relevant processing of Personal Data and the relevant data protection rights when you use the website www.ecolog-testcenter.com and related websites and the services offered by Ecolog on those websites, in particular the Eco-Care COVID-19 Test at the places designated on our websites. 

2. Mandatory information under the GDPR

2.1 Responsible controller and contact details

Data controller and responsible entity for the processing of Personal Data is 

Ecolog Deutschland GmbH 
In der Steele 14 
40599 Düsseldorf

You can reach our data protection officer under the same address with the addition “Attn: Data Protection Officer” or by email under dpo@ecolog-international.com 

2.2 Processing of Personal Data, Purposes and Legal Basis 

Ecolog processes and stores different Personal Data and Individuals have the data protection rights listed below.

1          Provision of the website

When you use our websites, data on your usage (such as the date and time of your visit, pages called up and files requested, type and version of the web browser used by you, type and operating system of the end device you use as well as your IP address) is temporarily stored in a log file on our server. The processing of the server log data is necessary for technical reasons in order to provide the website and render the services and thereafter to ensure the system security.

The legal basis for the processing is our legitimate interest in providing the website with our services (Art. 6 para. 1 (f) GDPR). The processing is a mandatory prerequisite for the use of our website; no objection right is hence available.

This data is deleted after [12] days at the latest.

The server log data may then be assessed in anonymised form for statistical purposes and to improve the quality of our internet presence. There is no link between the server log data and your personal data nor is the server log data combined in any way with other personal data sources.

2.2.2.A Registration for voluntary Testing at Brussels Airport

On our websites you can register for and book an appointment for testing at Brussels Airport. When you register you must enter you name, gender, contact details (i.e. address, telephone number, e-mail address), birth date, country and passport number) and set a personal password.

We process the registration data in order to set up and manage your customer account and administrate your testing appointment. As a registered customer you have access to your personal customer account (via your e-mail address and your chosen password), in which you can, amongst other things, check your order history as well as store and change your personal settings (e.g. password settings).

The legal basis for the processing is our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR in providing you with the aforesaid “customer account” service, respectively the performance of a contract on the testing with you (Art. 6 para. 1 (b) GDPR).

This data is deleted when the registration on our website, respectively the customer account, is cancelled or modified.

You can object to a processing of your data on the basis of Art. 6 para. 1 (f) GDPR (according to Art. 21 (1) GDPR). In such cases we may, in principle, prove mandatory reasons for the processing in order to continue such processing. While it is possible to close the customer account, we will need continue to process the registration data in order conduct and administrate the registered testing.

2.2.2.B Registration for Mandatory Testing at Brussels Airports

On our websites you can register for and book an appointment for testing at Brussels Airport. When you register you must enter you name, gender, contact details (i.e. address, telephone number, e-mail address), birth date, country and passport number), flightdetails and set a personal password.

We process the registration data in order to set up and manage your customer account and administrate your testing appointment. As a registered customer you have access to your personal customer account (via your e-mail address and your chosen password), in which you can, amongst other things, check your order history as well as store and change your personal settings (e.g. password settings).

The legal basis for the processing is our legitimate interest pursuant to Art. 6 para. 1 (f) GDPR in providing you with the aforesaid “customer account” service, respectively the performance of a contract on the testing with you (Art. 6 para. 1 (b) GDPR).

This data is deleted when the registration on our website, respectively the customer account, is cancelled or modified.

You can object to a processing of your data on the basis of Art. 6 para. 1 (f) GDPR (according to Art. 21 (1) GDPR). In such cases we may, in principle, prove mandatory reasons for the processing in order to continue such processing. While it is possible to close the customer account, we will need continue to process the registration data in order conduct and administrate the registered testing

2.2.3 Testing and Notification of Test Results

Subject to your consent, we (and for the actual testing, our partners as described further below) collect and process Personal Data from registered Clients at the testing facility and our partner’s sites to (i) check your identity at the testing appointment, (ii) to conduct and administrate the subsequent testing of the samples, provide the certificate relating to the testing and to re-connect the test results to the right individuals, (iii) to notify the test results to the Clients electronically via our partner Eurofins, and (iv) to invoice our services. Please note that the test results (at least in case of a positive Covid test) are considered health data in the meaning of Art. 9 para. 1 GDPR: 

  • Registration data (see above)
  • Your Body Samples,
  • results of the biochemical analysis
  • payment data (e.g. name and creditcardnumber)

Any Personal Data of a Client will be stored for max. one month, unless otherwise stated in this statement. The body sample is not stored at all. The legal basis for the processing is the conclusion and fulfilment of the contract with the Client for the testing service, Art. 6 para. 1 (b) GDPR, as well as for the handling of the health data and the notification via electronic means your consent, Art. 6 para. 1 (a) and Art. 9 para. 2 (a) GDPR.

2.2.4 Cookies on our Websites

We use Cookies and comparable technologies (e.g. web beacons) on our Website. 

Cookies already stored on your device, can be deleted at any time, using the browser functionality. Non acceptance of Cookies, however, can lead to functional restrictions.  

a) Required Cookies and comparable technologies (“Required Cookies”) 

Required Cookies are used to enable basic website functionalities such as page navigation, to verify if a visitor has read the cookie notification, and to save visitor’s cookie settings. Therefore we use our own Cookies. Required Cookies cannot be disabled, otherwise our Website would not function correctly. The legal basis for the processing is Art. 6 para. 1 (b) GDPR.

b) Statistical Cookies and comparable technologies (“Statistical Cookies”) 

Statistical Cookies are used to analyse and improve our Website on the basis of general usage patterns. The legal basis for the processing is your consent, Art. 6 para. 1 (a) GDPR.

This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). The information regarding your usage of this website generated by the use of Google Analytics is transmitted to and stored on a Google server in the US. However, due to the activated IP anonymisation on this website, Google will previously abbreviate your IP address within the member states of the European Union and in other contracting states under the Agreement on the European Economic Area. Only in exceptional cases will a full IP address be transmitted to a Google server in the U.S., where it will then be shortened. The IP address transmitted by the browser of the user will not be merged with any other Google data.

Google will use this information on our behalf to analyse the usage of our online offer by users, to compile reports on the activities regarding the use of the online offer, and to render further services to us in connection with the use of our online offer and internet usage. In this context, pseudonymous user profiles may be created from the processed data.

Users can prevent the storage of cookies by adjusting the setting of their browser accordingly; moreover, users can prevent that the data generated by the cookie on their use of the online offer is transmitted to and processed by Google by downloading and installing the browser plugin available at: http://tools.google.com/dlpage/gaoptout?hl=de.

2.3 Exchanging data with third parties, Data Recipients

Your personal data are sometimes shared with or received from third parties. We will never sell your personal data to anyone. Categories and examples of third parties with whom we share personal data are:

  • Eurofins Discovery GmbH: Eurofins is taking care of the analyses of the swap samples and of the communication of the testresult. The legal basis is your consent, Art. 6 para. 1 (a) GDPR.
  • If your test was voluntary we share payment details with our external service payment service Stripe: For the testing services and the issuing of a certificate we ask a financial compensation in case of voluntary testing which is paid through an external service provider. The legal basis is the performance of the contract with you, Art. 6 para. 1 (c) GDPR.
  • We may use technical service providers to provide general IT services, operate and host our websites and for the electronic submission of the test results. These service providers are our processors, Art. 28 GDPR.
  • Supervisory bodies: We exchanges personal data with supervisory bodies (like the Belgian Healthcare Authority or the Belgian Data Protection Authority) if this is needed by the supervisory body to carry out its official duties. This is required by law; In case of a positive test we are obliged by law to share your personal data with the proper authorities in Belgium. The testresult will be shared by our partner Eurofins with the proper authorities. The legal basis is our legal obligations and/or the public health interests as required by applicable local laws, Art. 6 para. 1 (c, e) GDPR, Art. 9 para. 2 (g, i) GDPR.

Whenever we use the services of third parties for activities, we endeavour to ensure that data is processed only within the European Union or countries/organisations that the European Commission considers to guarantee an adequate level of security. However, this is not always possible. Your personal data – excluding data concerning your health – may be processed in a country other than those referred to above. If so, we will contractually ensure that these processors provide sufficient guarantees, typically by using so-called Standard Contractual Clauses (you can exercise your further rights under Art. 13 para. 1 (f) GDPR by contacting us under the address named above).

2.4 Retention period

Unless otherwise stated in this Policy we store Personal Data only for as long as necessary to fulfil our contractual obligations. Thereafter we immediately delete Personal Data. However, we are required to store certain Personal Data longer for statutory reasons. We are obliged to store certain Personal Data for a mandatory period from 2 to 10 years under the German Commercial Code, the German Tax Code, the German Credit and Loans Act, the German Money Laundering Act, and the German Securities Act. Furthermore, we store certain Personal Data for the purpose of evidence in civil claims.   

2.5 Data protection rights

You have the following data protection rights under the applicable legal requirements, which you can exercise at any time under the address mentioned under “2.1 Responsible data controller and contact details” with the addition “Attn: Data Protection Officer” or by email under arjen.spierings@nd.net

2.5.1 Right of access

You have the right to obtain confirmation whether or not your Personal Data has been processed and if so, to access your Personal Data. The right of access may be restricted, e.g. by trade secrets or if restriction is necessary due to research purposes. Furthermore,  the right of access may be restricted by other applicable laws. You can request a copy of your Personal Data – in general – free of charge. Ecolog may charge a fee though, if you request further copies.

2.5.2 Right to data portability

You have the right to receive your Personal Data, which you have provided to Ecolog, in a structured, commonly used and machine-readable format (e.g. PDF). Furthermore, you may have your Personal Data transferred to another legal entity. The right to data-portability may be restricted, e.g. by trade secrets or if restriction is necessary due to research purposes. Furthermore, the right to data-portability may be restricted by statutory law

2.5.3 Right to rectification

You have the right to obtain rectification of your inaccurate Personal Data, and the right to have your incomplete Personal Data completed.

2.5.4 Right to erasure

You have the right to have your Personal Data erased. Ecolog may be required by applicable laws to store certain Personal Data after receiving a request to erase your Personal Data though (further information can be found under 2.4 Retention period).

2.5.5 Right to restriction of processing 

You have the right to obtain restriction of the processing of your Personal Data. 

2.5.6 Right to object 

You have the right to object to the processing of your Personal Data, if the processing is based on Ecolog’s legitimate interest (unless we can show our compelling legitimate grounds for the processing) or if your Personal Data are processed for direct marketing purposes.

2.5.7 Right to lodge a complaint

You have the right to lodge a complaint with the competent supervisory authority. You may also exercise this right with the supervisory authority of your place of residence, place of work or at the place where the alleged infringement occurred. 

2.5.8 Right to withdraw a consent 

Insofar as the processing of your Personal Data is based on your Consent, you have the right to withdraw your Consent at any time with effect for the future.  In case of your consent to the testing and notification of test results that will mean that we will not stop the processing described above (see 2.2.3) after we have taking the samples.

2.5.9. No automated decision-making including profiling

We do not use automated decision-making, including profiling, referred to in Art. 22 paras. 1 and 4 GDPR.

2.5.10 Applicable national laws 

Any further or modified rights under applicable national laws remain unaffected by the rights set forth herein.

2.5.11 Procedure 

In general, Ecolog will respond to Individuals’ no later than one (1) month after receiving an Individual’s Request. In exceptional cases, Ecolog may extend this period by two (2) further months with prior notice. If an Individual’s Request does not contain sufficient detail, Ecolog reserves the right to request additional information. Before denying any Individual’s Request, Associates must seek the advice of Ecolog’s legal department. Ecolog will provide the Individual with an explanation for any denied Individual’s Request.

3. Responsibilities

All Associates must adhere to the principles and rules set out in this Policy. It is the responsibility of every Ecolog manager, director or supervisor to adhere to this Policy within his or her area of functional responsibility, to lead by example, and to provide guidance to those Associates reporting to him or her.  

4. Security measures 

Ecolog has taken extensive measures to ensure the security of Personal Data, including the following: 

  • Organizational measures: Preparation and implementation of an internal control plan, regular employee training and education; 
  • Technical measures: Management of access rights to its systems, installation of an access control system, encryption of certain Personal Data, installation of security programs; 
  • Physical measures: Restriction of access to all internal data centres (e. g. computer rooms, data storage rooms), and  
  • Contractual measures: Third-Parties which host our systems are contractually bound, subject to our instructions and to regular monitoring. 

5. Consent to data processing

I, the undersigned, confirm that my laboratory sample, together with this form, enables Ecolog to process the test results and that my laboratory sample will be transferred to a laboratory mentioned in this statement. The laboratory will share the final test results to you, and you will be informed of the results by Eurofins in an encrypted manner as stated in the contact form.

I, the undersigned, consent to my personal data and the test result being passed on to the responsible health department. In the event that the responsible health department cannot be reached, my data (personal data and test results) will be passed on to the health department  or to the Infectious Diseases / Airport Task Force of Brussels Airport.

I, the undersigned, consent to the use of my personal data as described above in accordance with all applicable data protection regulations and laws, including the GDPR (as amended).

I consent that the personal data entered on the form are correct.

6. Changes to this Policy

Ecolog is dedicated to the highest standards and to continuously improve its services. Therefore we may change our services from time to time. Such changes may affect the Processing of Personal Data. We reserve the right to amend this Policy at any time. We advise you to inform yourself in regular intervals about the current status of this Policy.  

This version of this Policy is effective from September 2020.