Privacy policy according to Article 13 GDPR

1. Controller

Controller for processing your personal data is:

LEAD Horizon GmbH ("LEAD")
Walcherstraße 1A, Stiege 1, 4. Stock, 1020 Wien

2. Purpose of processing and legal basis

With your consent (Art. 6 para. 1 lit a GDPR ICW Art. 9 para. 2 lit a GDPR), the personal data provided by you will be processed for the purpose of carrying out a COVID-19 test and transmitting findings to or by LEAD. These are in particular name, gender, address, date of birth, e-mail address, telephone number, time of test acceptance, the resulting COVID-19 infection status, the social security number and the type of sample material.

The data provided by you will be collected and stored by LEAD directly from you and (with the exception of the photographs, see below) transmitted to Lifebrain COVID Labor GmbH (Wipplingerstraße 35/10, 1010 Vienna, or another partner laboratory for the purpose of laboratory-medical analysis, where the sample material is evaluated by qualified specialists. The test results are then transmitted electronically to LEAD by the laboratory for the communication of results.

With your consent, you also agree that the data will be transmitted to the register for screening programmes of the Federal Ministry responsible for health care for legally permissible purposes (Art. 6 par. 1 lit a GDPR ICW Art. 9 par. 2 lit a GDPR and § 5a par. 3 in accordance with § 5b Epidemics Act 1950). This serves to determine the prevalence (frequency) of the occurrence of COVID-19 in the population by means of mass testing (screening programme).

Participation in COVID-19 testing is voluntary. There are no disadvantages for you due to non-participation.

3. Identification

You will definitely get proof of the result of the test. If you also want to present your test result officially (i.e. to meet certain legal requirements), we must check your identity. For this we need a photo of your ID or e-card. The photo recording of your identity document or e-card is read out and processed with the help of a software for text recognition. In the further course of the application, we also create photographs of you when applying the gurgle test. These photos, together with the ID card or the e-card, serve to ensure that you (and no one else) apply the gurgle test. Your photos will not be passed on to the partner laboratory or other third parties. The legal basis for the processing of the photos for the stated purpose is your consent (Art. 6 (1) lit a GDPR ICW Art 9 (2) lit a GDPR), which you give by clicking on “AUTHENTICATE”. This consent is voluntary, alternatively you can also refuse to verify your identity by selecting “SKIP PROOF”. In this case, however, you will not receive a certificate or medical report from the partner laboratory that you can officially present.

4. Other data recipients

The laboratory is legally obliged to report the test result to the health authorities (Art. 9 (2) (i) GDPR in the sense of § 3 (1) EpiG and § 1 (3) of the Ordinance on Electronic Laboratory Notifications in the Register of Notifiable Diseases). Further obligations to provide information regarding your personal data (including the sample material for the purpose of sequencing) may exist at the express request of the health authorities (Art. 9 (2) (i) GDPR in accordance with § 5 EpiG and § 10 (2) data protection act).

In addition, there is a legal obligation for test centres and laboratories to transmit test data in electronic form to the Minister of Health, which creates an official test certificate and stores it in the so-called “EPI service” (Art. 9 (2) (i) GDPR in the form of § 4c (2) EpiG). The EPI service is operated by the Federal Ministry responsible for health care and is a web service that serves the purpose of issuing and providing test certificates to test persons and thus also forms the basis for the “Green Pass”.

As part of the school tests, aggregated information is passed on to the respective school for statistical purposes on the basis of Article 9 (2) (i) and (j) GDPR in accordance with § 7 (1) of the Data Protection Act. These data do not allow any conclusions to be drawn about individuals.

In addition, LEAD passes on aggregated information that can be derived from the test results on the basis of Art 9 (2) (i) and (j) GDPR in the sense of § 7 (1) DSG to scientific institutions for research purposes. The information passed on no longer has any connection to the persons concerned. We see this research as a further contribution to global efforts to combat the COVID-19 pandemic.

The data provided by you will not be transmitted by LEAD to any other third parties. Excluded is the transfer to processors such as the hoster Hetzner Online GmbH (Industriestraße 25, 91710 Gunzenhausen, Germany), which operates an ISO-certified data center in Germany, and Anyline GmbH (Zirkusgasse 13/2b, 1020 Vienna), which provides the software for text recognition. Both work exclusively on the instructions of LEAD. They do not use the data for their own purposes and are bound by their own agreements to the data protection obligations under the GDPR. The data will not be transferred to countries outside the European Union.

5. Storage period

We delete all data related to the test, including the photographs, 14 days after delivery of the result. Regarding the deletion of other data such as the access data to a user account, see point 8 below.

With regard to the data storage by the partner laboratories (in particular due to their legal storage obligations), reference is made to their data protection declarations.

6. Withdrawal of your consent

Please note that the provision of data is necessary to perform the COVID-19 testing. Since the participation is voluntary, you will not suffer any disadvantages due to non-participation. You have the right to withdraw your consent(s) at any time without giving reasons, which does not affect the lawfulness of the processing until the withdrawal has taken place. You can withdraw your consent to the processing of the photos and ID and e-card data for the determination of identity separately, but note that in this case we cannot issue a certificate and the laboratory cannot issue a medical report. For the withdrawal of your consent, please contact

7. Your rights

You have a right of access to the personal data we process, to rectification and erasure, to restriction of processing as well as a right to data portability, a right to object and a right to lodge a complaint to the protection authority; all this in accordance with the legal regulations. There is no automated decision-making (including profiling).

For concerns and questions about data protection, please contact our data protection officer at

8. Operation of your user account and the web app

If you create a user account on our web app, LEAD processes your access data (username and password) for the purpose of setting up and operating this account on the basis of our legitimate interests (Art. 6 (1) (f) GDPR). This data will be deleted 1 year after the last login.

For the operation of the web app, LEAD also processes technical telemetry data such as your IP address, which are necessary for the operation of the web app and the execution of the tests. LEAD also processes this data on the basis of the legitimate interest (Art. 6 (1) (f) GDPR) in a smooth technical operation. This data will also be deleted after 14 days.

If you contact us by e-mail, your personal data such as your e-mail address and e-mail correspondence for the purpose of customer service will be processed on the basis of the legitimate interest (Art. 6 (1) (f) GDPR) in a good customer relationship. This data will be deleted no later than 3 years after the last contact.

The web app uses cookies, whereby only technically necessary cookies are used:

  • lead_horizon_testkit_session – The session cookie is used to recognize you during the duration of your session and is necessary to ensure the functionality of the application. As soon as you close the webapp, the session cookie is automatically deleted.
  • XSRF-TOKEN – supports a security measure to prevent cross-site request forgery or cross-site scripting. This cookie will also be deleted after your session has ended.
  • lh_id_set – encrypted storage of your sample number in the course of retrieving the result. This cookie will also be deleted after your session has ended.
  • lh_local – the cookie stores your language preference and will be deleted after 1 year at the latest.
  • lh_domain – the cookie stores the variant of the product you are using and will be deleted after 1 year at the latest.
  • lh_skip_2fa – the cookie is used to make 2-factor authentication easier for the user. It will be deleted after 14 days at the latest.
  • lh_restricted – the cookie stores the information that a valid access link has been used in crisis mode and is deleted after half a year at the latest.

Data processing by cookies is based on our legitimate interest (Art. 6 (1) (f) GDPR and § 96 (3) telecommunications law) in the provision of a functioning web app.