Privacy policy according to Article 13 DSGVO

1. responsible party

The controller for the processing of your personal data provided is following:

LEAD Horizon GmbH ("LEAD")
Sandwirtgasse 12/1, 1060 Wien

2. Purpose of processing and legal basis

With your consent (Art 6 para 1 lit a DSGVO in conjunction with Art 9 para 2 lit a DSGVO), the personal data provided by you will be processed for the purpose of carrying out a COVID-19 test and for the transmission of the findings to or by LEAD. These are in particular your name, gender, address, date of birth, e-mail address, telephone number, time of test collection, your resulting COVID-19 infection status, national insurance number and the type of sample material.

Your data will be collected and stored by LEAD directly from you and (with the exception of the photographs, see below) transmitted to Lifebrain COVID Labor GmbH (Wipplingerstrasse 35/10, 1010 Vienna, or another partner laboratory for the purpose of laboratory medical analysis, where your sample material will be evaluated by competent specialist personnel. The test results are then transmitted electronically from the laboratory to LEAD for result communication.

With your consent, you also agree that your data may be transmitted to the register for screening programmes of the Federal Minister responsible for Health for legally permissible purposes (Art 6 para 1 lit a in conjunction with Art 9 para 2 lit a DSGVO and § 5a para 3 in conjunction with § 5b Epidemic Act 1950). This serves to determine the prevalence (frequency) of the occurrence of COVID-19 in the population by means of mass tests (screening programme).

Participation in COVID-19 testing is voluntary. You will not suffer any disadvantages as a result of non-participation.

3. identity determination

If you want to present your test result officially, we need to proof your identity. To do this, we need your identity card or e-card. The photo of your ID document or e-card is read with the help of text recognition software and the contents of the ID document or e-card (document number, expiry date, name, national insurance number, etc.) are subsequently processed. In the further course of the application, we take photos of you using the gargle test. In addition to the ID card, these photos serve to ensure that you yourself (and no one else) use the gargle test. By clicking on "AUTHENTICATE", you consent to the processing of your ID card or e-card data and your photos for the aforementioned purpose (Art 6 Para 1 lit a in conjunction with Art 9 Para 2 lit a DSGVO). This consent is voluntary; alternatively, you can refuse to have your identity established by selecting "SKIP PROOF". In this case, you will not receive a certificate or a medical report from the partner laboratory.

4. further data recipients

In the case of a positive test result, the laboratory is also legally obliged to report the infection to the competent health authority. In the context of the COVID-19 pandemic, the reporting obligation may also include negative or invalid test results (§ 3 para 1 Epidemic Act 1950 in conjunction with § 1 para 3 of the Ordinance on Electronic Laboratory Reports to the Register of Notifiable Diseases in conjunction with Art 9 para 2 lit i DSGVO). Further obligations to provide information regarding your personal data may also exist at the request of the competent health authorities (§ 5 para 3 Epidemic Act 1950 and § 10 para 2 Data Protection Act).

In addition, LEAD passes on aggregated information, which can be derived from the test results on the basis of Art 9 (2) (i) and (j) of the Data Protection Regulation in conjunction with § 7 (1) of the Data Protection Act, to scientific institutions for research purposes. The information passed on no longer has any reference to the data subjects. We understand this research activity as a further contribution to the worldwide efforts to combat the COVID-19 pandemic.

As a matter of principle, LEAD does not pass on your data to any other third parties. The exception is the transfer to order processors, such as the hoster Hetzner Online GmbH (Industriestrasse 25, 91710 Gunzenhausen, Germany), which operates an ISO-certified data centre in Germany, and Anyline GmbH (Zirkusgasse 13 / 2b, 1020 Vienna, Austria), which provides the text recognition software, who work exclusively on the instructions of LEAD, do not use the data for their own purposes and are bound by their own agreements to the data protection obligations in accordance with the GDPR. Your data will not be transferred to countries outside the European Union.

5. storage period

If you create a user account, your access and master data will be deleted by LEAD 1 year after your last login, all other data already 14 days after delivery of the result to you.

The partner laboratories are subject to the legal retention obligations under medical law or other applicable legal retention obligations.

6. revocation of consent

Please note that the provision of your data is necessary in order to carry out the COVID-19 testing. However, as participation is voluntary, you will not suffer any disadvantages if you do not participate. You have the right to revoke your consent(s) at any time without giving reasons, which does not affect the lawfulness of the processing until revocation has taken place. You can separately revoke your consent to the processing of photos and ID and e-card data for the purpose of establishing your identity, but please note that in this case we will not be able to issue you with a certificate or a medical report from the partner laboratory. To revoke your consent, please contact

7. your rights

You have a right to information about the personal data processed by you, correction and deletion, restriction of processing as well as a right to data portability, a right of objection and a right of complaint to the data protection authority; all this in accordance with the legal regulations. No automated decision-making (including profiling) takes place.

For concerns and questions regarding data protection, please contact our data protection officer at

8. operation of the web app

For the operation of the web app, LEAD processes technical telemetry data such as your IP address, which are necessary for the operation of the web app and the performance of the tests. LEAD processes this data on the basis of legitimate interest (Art 6 para 1 lit f DSGVO) in smooth technical operation. This data is also deleted after 14 days.

If you contact us by e-mail, your personal data such as your e-mail address and e-mail correspondence will be processed for the purpose of customer care on the basis of the legitimate interest (Art 6 para 1 lit f DSGVO) in a good customer relationship. This data is deleted no later than 3 years after the last contact.

The web app also uses cookies, whereby only technically necessary cookies are used:

  • lead_horizon_testkit_session - The session cookie is used to recognise you for the duration of your session and is necessary to ensure the functionality of the app. As soon as you close the WebApp, the session cookie is automatically deleted.
  • XSRF-TOKEN - supports a security measure to prevent cross-site request forgery or cross-site scripting. This cookie is also deleted at the end of your session.
  • lh_id_set - encrypted storage of your sample number in the course of retrieving the result. This cookie is also deleted after the end of your session.
  • lh_local - the cookie stores your language preference and is deleted after 1 year at the latest.
  • lh_domain - the cookie stores the variant of the product you use and is deleted after 1 year at the latest.

The data processing by cookies is based on our legitimate interest (Art 6 para 1 lit f DSGVO and § 96 para 3 Telecommunications Act) in providing a functioning web app.