Skip to content
This repository has been archived by the owner on Jun 20, 2023. It is now read-only.

Fix/15012 Data Privacy Issues #5155

Merged
merged 1 commit into from
Apr 12, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -1545,16 +1545,22 @@ <h2>
your random IDs from the last 14 days) as well as optional information you provide about the
onset of your symptoms and event IDs will be forwarded to the server system and then to users of
the Corona-Warn-App as part of the positive lists.
</p>
<p>
The RKI has commissioned T-Systems International GmbH and SAP Deutschland SE & Co. KG to operate
and maintain part of the technical infrastructure of the app (e.g. server system, hotline),
meaning that these two companies are processors under data protection law and acting on the
RKI’s behalf. Otherwise, the RKI will only pass on your data collected in connection with your
use of the app to third parties if the RKI is legally obliged to do so or if this is necessary
for legal action or criminal prosecution in the case of attacks on the app’s technical
infrastructure. In other cases, personal data will not generally be passed on by the RKI.
</p>
<p>
If, in the situations where it is required by law, you present a COVID Certificate to other
persons or entities (for example, European border authorities or service providers), they will
become aware of all the data contained in the certificate.
</p>
<p>
You can prevent this by only presenting the QR code of the COVID Certificate in the app, so that
it can be scanned using a verification app (e.g. as proof of your vaccination status and
entitlement to certain exemptions under coronavirus restrictions). Then, only the data contained
Expand All @@ -1566,6 +1572,8 @@ <h2>
certificate is a test certificate or not. In the case of test certificates, the time of sampling
is then also displayed so that the person performing the check can assess whether the underlying
test result is still valid.
</p>
<p>
During certificate verification for ticket bookings, your COVID certificates and booking
information are transmitted to a verification partner used by the provider. The specific
verification partner is displayed in the app before transmitting the information. To retrieve
Expand All @@ -1579,6 +1587,8 @@ <h2>
<p>
Users of the Corona-Warn-App can retrieve the latest positive lists regardless of where they are
(even if they are abroad on holiday or on a business trip, for example).
</p>
<p>
In addition, the confirmation of the authenticity of your app may involve the transfer of data
to a country outside the EU. The identifier generated by your smartphone, which contains
information about the version of your smartphone and the app, will be transmitted to the
Expand All @@ -1589,6 +1599,8 @@ <h2>
data reaches the operating system provider, it may be accessed and analysed by security
authorities in the third country, for example by linking the data with other information from
other sources.
</p>
<p>
Otherwise, the data transmitted by the app is processed exclusively on servers in Germany or in
another country in the EU (or the European Economic Area), which are therefore subject to the
strict requirements of the General Data Protection Regulation (GDPR).
Expand Down Expand Up @@ -1743,7 +1755,7 @@ <h2>
</li>
<li>
The right to lodge a complaint with a data protection
supervisory authority. To do so, you can either contact your local
supervisory authority. To do so, you can for example contact your local
supervisory authority or the authority responsible for the RKI. The
supervisory authority responsible for the RKI is the Federal
Commissioner for Data Protection and Freedom of Information,
Expand All @@ -1763,11 +1775,6 @@ <h2>
even if you provide additional information about your identity.

</p>
<p>
If the hash value of the electronic signature is temporarily stored when a digital COVID
certificate is updated, this does not enable the RKI to determine the identity of certificate
holders (see Section 6 o.).
</p>
<p>
If the hash values of the electronic signatures are temporarily stored when a digital COVID
certificate is updated, this does not enable the RKI to determine the identity of certificate
Expand All @@ -1783,5 +1790,6 @@ <h2>
to Robert Koch-Institut, FAO the data protection officer, Nordufer 20,
13353 Berlin, or by emailing <a href="mailto:datenschutz@rki.de">datenschutz@rki.de</a>.
</p>

</body>
</html>
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ <h1>
Falls Sie Fragen zur Verarbeitung Ihrer Daten durch das RKI haben, können Sie weiterhin die
behördliche Datenschutzbeauftragte des RKI kontaktieren (Art. 38 Abs. 4 DSGVO). Zudem haben Sie
das Recht, sich bei einer Aufsichtsbehörde für den Datenschutz zu beschweren. Dazu können Sie
sich beispielsweise an die Aufsichtsbehörde an Ihrem Wohnort oder direkt an die für des RKI
sich beispielsweise an die Aufsichtsbehörde an Ihrem Wohnort oder direkt an die für das RKI
zuständige Behörde wenden. Die zuständige Aufsichtsbehörde für das RKI ist der Bundesbeauftragte
für den Datenschutz und die Informationsfreiheit, Graurheindorfer Str. 153, 53117 Bonn.
</p>
Expand Down Expand Up @@ -1586,16 +1586,22 @@ <h2>
Testergebnis (in Form Ihrer Zufalls-IDs der letzten 14 Tage) sowie optionale Angaben zum
Symptombeginn und Event-IDs an das Serversystem weitergegeben und dann als Bestandteil der
Positiv-Listen an die Nutzer der Corona-Warn-App.
</p>
<p>
Mit dem Betrieb und der Wartung eines Teils der technischen Infrastruktur der App (z. B.
Serversysteme, Hotline) hat das RKI die T-Systems International GmbH und die SAP Deutschland SE
& Co. KG beauftragt, die als Auftragsverarbeiter des RKI tätig werden. Im Übrigen gibt das RKI
Ihre Daten, die im Zusammenhang mit der Nutzung der App erhoben werden, nur an Dritte weiter,
soweit das RKI rechtlich dazu verpflichtet ist oder die Weitergabe im Falle von Angriffen auf
die technische Infrastruktur der App zur Rechts- oder Strafverfolgung erforderlich ist. Eine
Weitergabe durch das RKI in anderen Fällen erfolgt grundsätzlich nicht.
</p>
<p>
Wenn Sie anderen Personen oder Einrichtungen in den gesetzlich vorgesehenen Situationen
(beispielsweise europäische Grenzbehörden oder Dienstleister) ein COVID-Zertifikat vorzeigen,
erlangen diese Kenntnis über alle im Zertifikat enthaltenen Daten.
</p>
<p>
Dies können Sie verhindern, indem Sie nur den QR-Code des COVID-Zertifikats in der App
vorzeigen, sodass dieser mit einer Prüf-App gescannt werden kann (z. B. als Nachweis der
Schutzimpfung im Rahmen einer Ausnahme von Schutzmaßnahmen gegen das Coronavirus). Dann werden
Expand All @@ -1607,6 +1613,8 @@ <h2>
ein Testzertifikat handelt oder nicht. Bei Testzertifikaten wird dann auch der Zeitpunkt der
Probenahme angezeigt, damit die prüfende Person beurteilen kann, ob das zugrunde liegende
Testergebnis noch gültig ist.
</p>
<p>
Bei der Zertifikatsprüfung für Ticketbuchungen werden Ihre COVID-Zertifikate und die
Buchungsdaten an einen Prüfpartner des Anbieters übermittelt. Der konkrete Prüfpartner wird
Ihnen vor der Übermittlung in der App angezeigt. Zum Abruf der individuellen Buchungsdaten
Expand All @@ -1619,6 +1627,8 @@ <h2>
<p>
Die aktuellen Positiv-Listen können durch Nutzer der Corona-Warn-App unabhängig vom
Aufenthaltsort des Nutzers (etwa im Urlaub oder auf Geschäftsreise) abgerufen werden.
</p>
<p>
Zudem kann es im Rahmen der Bestätigung der Echtheit Ihrer App zu einer Übermittlung von Daten
in ein Land außerhalb der EU kommen. Die von Ihrem Smartphone erzeugte Kennung, die
Informationen über die Version Ihres Smartphones und der App enthält, wird an den Hersteller des
Expand All @@ -1629,6 +1639,8 @@ <h2>
Möglichkeit, dass Sicherheitsbehörden im Drittland auf die übermittelten Daten beim Hersteller
des Betriebssystems zugreifen und diese auswerten, beispielsweise indem sie Daten mit anderen
Informationen aus anderen Quellen verknüpfen.
</p>
<p>
Im Übrigen werden die von der App übermittelten Daten ausschließlich auf Servern in Deutschland
oder in einem anderen Land in der EU (oder dem Europäischen Wirtschaftsraum) verarbeitet, die
somit den strengen Anforderungen der Datenschutz-Grundverordnung (DSGVO) unterliegen.
Expand Down Expand Up @@ -1768,13 +1780,20 @@ <h2>
die Rechte aus den Artikeln 15, 16, 17, 18, 20 und 21 DSGVO,
</li>
<li>
das Recht, die <a href="https://www.rki.de/DE/Content/Institut/OrgEinheiten/Datenschutz/Datenschutz_node.html">behördliche Datenschutzbeauftragte des RKI</a> zu kontaktieren und Ihr Anliegen vorzubringen (Art. 38 Abs. 4 DSGVO) und
das Recht, die behördliche
<a href="https://www.rki.de/DE/Content/Institut/OrgEinheiten/Datenschutz/Datenschutz_node.html">Datenschutzbeauftragte
des RKI</a>
zu kontaktieren und Ihr Anliegen vorzubringen
(Art. 38 Abs. 4 DSGVO) und
</li>
<li>
das Recht, sich bei einer Aufsichtsbehörde für den
Datenschutz zu beschweren. Dazu können Sie sich beispielsweise an die Aufsichtsbehörde an Ihrem Wohnort
oder an die für das RKI zuständige Behörde wenden. Die zuständige Aufsichtsbehörde für das RKI
ist der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, Graurheindorfer Str. 153, 53117 Bonn.
Datenschutz zu beschweren. Dazu können Sie sich beispielsweise an die Aufsichtsbehörde an
Ihrem Wohnort
oder an die für das RKI
zuständige Behörde wenden. Die zuständige Aufsichtsbehörde für das RKI
ist der Bundesbeauftragte für den Datenschutz und die
Informationsfreiheit, Graurheindorfer Str. 153, 53117 Bonn.
</li>
</ul>
<p>
Expand Down Expand Up @@ -1806,5 +1825,6 @@ <h2>
<a href="mailto:datenschutz@rki.de">datenschutz@rki.de</a>.
</p>


</body>
</html>
Original file line number Diff line number Diff line change
Expand Up @@ -1545,16 +1545,22 @@ <h2>
your random IDs from the last 14 days) as well as optional information you provide about the
onset of your symptoms and event IDs will be forwarded to the server system and then to users of
the Corona-Warn-App as part of the positive lists.
</p>
<p>
The RKI has commissioned T-Systems International GmbH and SAP Deutschland SE & Co. KG to operate
and maintain part of the technical infrastructure of the app (e.g. server system, hotline),
meaning that these two companies are processors under data protection law and acting on the
RKI’s behalf. Otherwise, the RKI will only pass on your data collected in connection with your
use of the app to third parties if the RKI is legally obliged to do so or if this is necessary
for legal action or criminal prosecution in the case of attacks on the app’s technical
infrastructure. In other cases, personal data will not generally be passed on by the RKI.
</p>
<p>
If, in the situations where it is required by law, you present a COVID Certificate to other
persons or entities (for example, European border authorities or service providers), they will
become aware of all the data contained in the certificate.
</p>
<p>
You can prevent this by only presenting the QR code of the COVID Certificate in the app, so that
it can be scanned using a verification app (e.g. as proof of your vaccination status and
entitlement to certain exemptions under coronavirus restrictions). Then, only the data contained
Expand All @@ -1566,6 +1572,8 @@ <h2>
certificate is a test certificate or not. In the case of test certificates, the time of sampling
is then also displayed so that the person performing the check can assess whether the underlying
test result is still valid.
</p>
<p>
During certificate verification for ticket bookings, your COVID certificates and booking
information are transmitted to a verification partner used by the provider. The specific
verification partner is displayed in the app before transmitting the information. To retrieve
Expand All @@ -1579,6 +1587,8 @@ <h2>
<p>
Users of the Corona-Warn-App can retrieve the latest positive lists regardless of where they are
(even if they are abroad on holiday or on a business trip, for example).
</p>
<p>
In addition, the confirmation of the authenticity of your app may involve the transfer of data
to a country outside the EU. The identifier generated by your smartphone, which contains
information about the version of your smartphone and the app, will be transmitted to the
Expand All @@ -1589,6 +1599,8 @@ <h2>
data reaches the operating system provider, it may be accessed and analysed by security
authorities in the third country, for example by linking the data with other information from
other sources.
</p>
<p>
Otherwise, the data transmitted by the app is processed exclusively on servers in Germany or in
another country in the EU (or the European Economic Area), which are therefore subject to the
strict requirements of the General Data Protection Regulation (GDPR).
Expand Down Expand Up @@ -1763,11 +1775,6 @@ <h2>
even if you provide additional information about your identity.

</p>
<p>
If the hash value of the electronic signature is temporarily stored when a digital COVID
certificate is updated, this does not enable the RKI to determine the identity of certificate
holders (see Section 6 o.).
</p>
<p>
If the hash values of the electronic signatures are temporarily stored when a digital COVID
certificate is updated, this does not enable the RKI to determine the identity of certificate
Expand All @@ -1783,5 +1790,6 @@ <h2>
to Robert Koch-Institut, FAO the data protection officer, Nordufer 20,
13353 Berlin, or by emailing <a href="mailto:datenschutz@rki.de">datenschutz@rki.de</a>.
</p>

</body>
</html>
Original file line number Diff line number Diff line change
Expand Up @@ -1545,16 +1545,22 @@ <h2>
your random IDs from the last 14 days) as well as optional information you provide about the
onset of your symptoms and event IDs will be forwarded to the server system and then to users of
the Corona-Warn-App as part of the positive lists.
</p>
<p>
The RKI has commissioned T-Systems International GmbH and SAP Deutschland SE & Co. KG to operate
and maintain part of the technical infrastructure of the app (e.g. server system, hotline),
meaning that these two companies are processors under data protection law and acting on the
RKI’s behalf. Otherwise, the RKI will only pass on your data collected in connection with your
use of the app to third parties if the RKI is legally obliged to do so or if this is necessary
for legal action or criminal prosecution in the case of attacks on the app’s technical
infrastructure. In other cases, personal data will not generally be passed on by the RKI.
</p>
<p>
If, in the situations where it is required by law, you present a COVID Certificate to other
persons or entities (for example, European border authorities or service providers), they will
become aware of all the data contained in the certificate.
</p>
<p>
You can prevent this by only presenting the QR code of the COVID Certificate in the app, so that
it can be scanned using a verification app (e.g. as proof of your vaccination status and
entitlement to certain exemptions under coronavirus restrictions). Then, only the data contained
Expand All @@ -1566,6 +1572,8 @@ <h2>
certificate is a test certificate or not. In the case of test certificates, the time of sampling
is then also displayed so that the person performing the check can assess whether the underlying
test result is still valid.
</p>
<p>
During certificate verification for ticket bookings, your COVID certificates and booking
information are transmitted to a verification partner used by the provider. The specific
verification partner is displayed in the app before transmitting the information. To retrieve
Expand All @@ -1579,6 +1587,8 @@ <h2>
<p>
Users of the Corona-Warn-App can retrieve the latest positive lists regardless of where they are
(even if they are abroad on holiday or on a business trip, for example).
</p>
<p>
In addition, the confirmation of the authenticity of your app may involve the transfer of data
to a country outside the EU. The identifier generated by your smartphone, which contains
information about the version of your smartphone and the app, will be transmitted to the
Expand All @@ -1589,6 +1599,8 @@ <h2>
data reaches the operating system provider, it may be accessed and analysed by security
authorities in the third country, for example by linking the data with other information from
other sources.
</p>
<p>
Otherwise, the data transmitted by the app is processed exclusively on servers in Germany or in
another country in the EU (or the European Economic Area), which are therefore subject to the
strict requirements of the General Data Protection Regulation (GDPR).
Expand Down Expand Up @@ -1743,7 +1755,7 @@ <h2>
</li>
<li>
The right to lodge a complaint with a data protection
supervisory authority. To do so, you can either contact your local
supervisory authority. To do so, you can for example contact your local
supervisory authority or the authority responsible for the RKI. The
supervisory authority responsible for the RKI is the Federal
Commissioner for Data Protection and Freedom of Information,
Expand All @@ -1763,11 +1775,6 @@ <h2>
even if you provide additional information about your identity.

</p>
<p>
If the hash value of the electronic signature is temporarily stored when a digital COVID
certificate is updated, this does not enable the RKI to determine the identity of certificate
holders (see Section 6 o.).
</p>
<p>
If the hash values of the electronic signatures are temporarily stored when a digital COVID
certificate is updated, this does not enable the RKI to determine the identity of certificate
Expand All @@ -1783,5 +1790,6 @@ <h2>
to Robert Koch-Institut, FAO the data protection officer, Nordufer 20,
13353 Berlin, or by emailing <a href="mailto:datenschutz@rki.de">datenschutz@rki.de</a>.
</p>

</body>
</html>
Loading