Date privacy statement luca contact form

Last revised and updated August 19, 2022

We, culture4life GmbH (“we” or “us“), are committed to safeguarding your privacy interests in connection with your use of our services, and strive at all times to maintain the security and integrity of your personal information in accordance with applicable data protection law. For this purpose, we agree to process your personal data solely for the purpose of assisting in contact tracing or providing proof of a test result, vaccination or recovery card as part of the COVID pandemic response and not to use or share it for any other purpose. Other purposes are given only with the processing of your data when visiting our website, to ensure a secure web presence, as well as in the processing of your requests (precisely for purposes of this processing). We state these explicitly below.

Personal data is any information relating to an identified or identifiable natural person. Thus, your name, your e-mail address, your whereabouts data, but also your IP address constitute personal data, for the processing of which the General Data Protection Regulation (hereinafter DSGVO) sets strict limits. Even if this data is pseudonymized, for example through encryption (i.e., it cannot be assigned to you immediately, but only through a combination of data and keys), it must be protected under data protection law and treated in the same way as clear data. The requirements of the GDPR for handling this data primarily affect the controller, i.e. the party that collects and processes the data. If the data controller passes on the data to service providers in order to provide a service, this must be made transparent to you as the data subject. The respective service provider must be bound by the same standards as the responsible party and controlled by the latter.

The contact form for digital contact data tracking is provided to you by the restaurateurs, retail stores, event organizers and other operators (hereinafter collectively referred to as “operators”) that you visit. When you fill out the contact form or check in with an operator:in), your contact information is collected as well as the dates of your stay. These data are encrypted by the keys of the health authorities and the operator:in. The operator:in collects this data and is responsible for this processing and we act here as a processor of the operator:in and are obligated by corresponding contracts with the operator:in to comply with data protection requirements.

We are convinced that encryption helps to protect your personal data, as this means that it can only be viewed in its clear form by you and, if required, by the relevant health authority. In the following, we describe specifically which data we collect and process, on what basis and for what purposes, which service providers we pass this on to and which rights you have with regard to your data.

A. RESPONSIBLE luca System

The controller(s) of personal data collected directly by us:

culture4life GmbH

Mörikestrasse 67

70199 Stuttgart

Germany

info@culture4life.de

B. CONTACT DETAILS OF OUR DATA PROTECTION OFFICER

You can reach our data protection officer as follows:

culture4life GmbH

Data Protection Officer

Charlottenstraße 59

10117 Berlin

Germany

privacy@culture4life.de

C. COLLECTION AND PROCESSING when using the luca contact form

The luca contact form differs significantly from the other luca services. It is basically a digital alternative to the traditional paper-based form with operators.

1. process description

Collection of data at the beginning of your stay:

If you would like to check in with an operator:in, they may offer to use the luca digital contact form instead of providing the information on a printed contact form from the operator:in. After entering your contact details, they are encrypted twice (with a key from the health authorities and with a key from the operator:in). Neither the operators nor we can decrypt your contact and whereabouts data. The encrypted data is transferred to the luca system and stored on the servers of our service providers (see section 5.) within the EU area.

Recording of data at the end of your stay:

After you have successfully checked in, the operator:in will check you out after a certain period of time, at the latest when the event or the premises close.

Transmission of contact tracing data by operator:s to the appropriate health department:

The health department may request an operator:in to know which individuals were in the location at a particular time. The operator:in can then submit the requested data to the health department via their luca profile. Since the data is dual-encrypted (using the operator:in and the health department key), parts of the data will override the operator:in encryption. The health department receives the data still encrypted with the health department key and can decrypt it. This means that only the health department can view the clearing data. The operator:in is responsible for this processing and we act here as the processor of the operator:in.

2. data categories

We process the following categories of data, which are necessary to provide or facilitate contact tracing in accordance with country regulations issued in connection with the control of COVID infections:

  • Contact details: Name, first name, address, telephone number, e-mail address.
  • Stay data: Name or designation of the operators with whom you have stayed, date, beginning and end of your stay, as well as the address of your place of stay.
  • Additional Input Data: Other information you submit through input fields in our Services, each of which relates to you, such as notes you enter in the free text fields of our Services.

3. purposes and legal bases of the processing operations

We will process your personal data only for the purpose of contact tracing support in the context of the COVID pandemic response and in this context of improving data quality in accordance with the listed legal bases. The processing operations carried out for this purpose are described below and the respective legal bases for the processing of your personal data are stated.

Ziff.

Verarbeitung und ggf. ergänzender Zweck

Rechtsgrundlage

Verantwortlicher

(1)

Wenn Sie bei einer Betreiber:in einchecken und dafür das Kontaktformular verwenden, erhebt diese mittels luca Ihre Kontaktdaten, Aufenthaltsdaten sowie ggf. Zusätzliche Eingabedaten

Die Verarbeitung geschieht auf Basis der für die Betreiber:innen geltenden Grundlage. Bei zur Kontaktnachverfolgung Verpflichteten ist dies die jeweilige gesetzliche Grundlage (jeweilige Landesverordnung iVm § 28a IfSG). Bei freiwillig luca nutzenden Betreiber:innen ist dies Ihre Einwilligung.

Betreiber:innen

Wir verarbeiten die Daten auf Basis des Auftragsverarbeitungsvertrags zwischen der betreffenden Betreiber:in und uns.

(2)

Der Check-Out wird durch die Betreiber:in durchgeführt.

The processing is based on the applicable basis for the operators. In the case of those obliged to track contacts, this is the respective legal basis (respective state ordinance in conjunction with § 28a IfSG). For operators using luca voluntarily, this is your consent.

Operator:inside

We process the data on the basis of the order processing agreement between the relevant operator:in and us.

(3)

An operator:in visited by you may be requested to provide visitor data for a specified period of time by a health department. In the process, your contact data, functional data, residence data and, if applicable, additional input data will be transmitted to the health department.

The processing is carried out on the basis applicable to the operators. For those obligated to contact tracing, this is the respective legal basis (respective state ordinance iVm § 28a IfSG). For operators voluntarily using luca, this is your consent.

Operator:in

We process the data on the basis of the order processing agreement between the relevant operator:in and us.

5. Recipients:inside of personal data

In order to achieve the purposes described earlier in this Privacy Policy, we disclose your personal data to the following recipients, with the understanding that they may not use your personal data in any way other than to provide services to us (as so-called processors within the meaning of Article 28 of the GDPR):

Services provided by suppliers

Provider

Processed data

Software maintenance and software operation services

neXenio GmbH, Charlottenstr. 59, 10117 Berlin

Contact data, Functional data, Residence data, Additional input data, Temporary usage data

(The processing is limited to a possible inspection of the listed data in the context of the implementation of the software maintenance and operation services).

IT infrastructure services (server)

Telekom Deutschland GmbH, Landgrabenweg 151, 53227 Bonn

Contact data, Functional data, Residence data, Additional input data, Temporary usage data

Server location: Germany, Hungary (Open Telekom Cloud)

IT infrastructure services

Bundesdruckerei Gruppe GmbH, Kommandantenstraße 18, 10969 Berlin

Contact data, Functional data, Residence data, Additional input data, Temporary usage data

Server location: Germany

SMS dispatch services

Message Mobile GmbH, Stresemannstraße 6, 21335 Lüneburg, Germany

Sinch Germany GmbH, Wilhelm-Wagenfeld-Str. 20, 80807 Munich

Phone number

Order processing contracts in accordance with Art. 28 DSGVO have been concluded with these recipients. They can only process your data for a specific purpose and on our instructions.

6. duration of the storage of personal data

Your personal data will be automatically deleted after expiry of the periods described below:

  • Contact Data, Stay Data and Additional Entry Data: Your contact information, stay data, and input data generated by or in connection with checking in with an Operator:in will be deleted after 4 weeks in accordance with Corona/COVID infection control regulations.

D. RIGHTS OF THE DATA SUBJECTS

With regard to the processing of your personal data, you have the following rights provided for in the GDPR, which you can exercise against us for all processing operations for which we are responsible (see Part C.):

  • The right to request a statement as to whether your personal data are being processed and, if this is the case, the right to information about these data. This information includes, among other things, the purposes of processing, the categories of personal data processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (Art. 15 GDPR). We store your data exclusively in encrypted form and do not ourselves possess the keys required for decryption. Therefore, we cannot track whether personal data of a specific person is processed in the luca system. This is not the case for data that we receive from you as clear data when you contact us yourself (e.g., for support requests). With regard to these, we will be happy to provide you with the information upon request.
  • The right to request the rectification of your personal data if it is inaccurate or incomplete (Art. 16 GDPR). Due to the encryption it is neither possible for the operator:in nor for us to change your data. We ourselves can only process your request with regard to data that we receive from you as clear data (e.g. through direct contact by you with us).
  • The right, under certain conditions, to request that your personal data be deleted without undue delay (so-called “right to be forgotten”) (Art. 17 GDPR).
    Your contact information, residence information, and entry information will be automatically deleted after 4 weeks in accordance with Corona/COVID infection control regulations. A prior deletion of this data is not given due to the legal deadline. We ourselves as well as the operators:inside cannot execute the deletion for you. If we have stored data about you (e.g. because you have contacted us in another context) that we can assign to you or that is not based on the information you have entered within the luca contact form, we will delete this data in accordance with your request, unless there is a legitimate interest or statutory retention periods to the contrary.
  • The right to request the restriction of the processing of your personal data under certain conditions (Art. 18 GDPR). Due to the encryption and because we ourselves do not have the keys necessary for decryption, we can also only fulfill this right with regard to the clear data transmitted by you.

Please note that we generally do not process your personal data in the form of plain data, but in encrypted form, and therefore in certain cases we will not be able to comply with a corresponding request by you to grant the aforementioned rights.

To exercise these rights against us, you may also contact our Data Protection Officer, using the contact details set out in Part B of this Privacy Policy.

Notwithstanding the foregoing rights, you have the right to lodge a complaint with a supervisory authority for data protection and freedom of information, for example, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Lautenschlagerstrasse 20, 70173 Stuttgart, P.O. Box 10 29 32, 70025 Stuttgart.

Your guest experience platform
luca
About us
Jobs
Support
Legal
Imprint
Data protection
Cookie settings
culture4life GmbH | Mörikestrasse 67 | 70199 Stuttgart | Germany
Deutsch
English
Close Cookie Preference Manager
Cookie settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Close Cookie Popup
Cookie Settings
By clicking “Accept all” you agree to allow cookies to be stored on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. More
Accept all
Settings