This privacy policy explains how we handle your personal data. The applicable data protection law, in particular the General Data Protection Regulation (DSGVO), shall apply. With the exception of the service providers and third-party suppliers that we name in this data protection declaration, we do not pass on any data to third parties. If you have any questions, please do not hesitate to contact us.
Responsible for data processing is German Aids Federation Wilhelmstr. 138 10963 Berlin
Data Protection Officer:
Lawyer Jasper Prigge c/o PRIGGE Law, Kasernenstr. 23, 40213 Düsseldorf, Germany
E-Mail: datenschutz@dah.aidshilfe.de
Each time our website is accessed, the browser of the person visiting our website transmits various data. Our server stores the following data of persons visiting our website in log files even after a connection ends:
Browser type and version used
Operating system
Pages and files retrieved
Amount of data transferred
Date and time of the request
Provider of the person
IP address
Referrer URL
The processing of this data is necessary to be able to deliver the website to the user and to optimize it for his/her terminal device. The storage in log files serves to improve the security of our website (e.g. protection against DDOS attacks). IP addresses are anonymized before being stored in log files.
The legal basis for the processing is Art. 6 para. 1 UAbs. 1 letter f) DSGVO. Our legitimate interest is to provide the website and improve website security. Log files are automatically deleted after 7 days.
Our website uses cookies. These are small files that are stored on the terminal device of people who visit our website.
Cookies may be necessary for our website to function properly. They are referred to as technically necessary cookies. The legal basis for the use of such cookies is Art. 6 (1) UAbs. 1 lit. f) DSGVO. Our legitimate interest lies in the provision of the functions of our website. The person visiting our website can prevent and object to the processing of data using cookies by making the appropriate settings in his/her browser. In case of objection, not all functions of our website may be available.
We use cookies that are not required for the operation of our website in order to make our offer more user-friendly. Such cookies are only stored on the terminal device of the person visiting our website if they have given their consent. The legal basis is Art. 6 para. 1 UAbs. 1 letter a) DSGVO. We provide separate information in this privacy policy about which cookies are involved and in what way personal data is processed with their help. The person visiting our website can revoke a given consent by, among other things, the settings in his/her browser.
In the event that the user wishes to object to the use of cookies by certain services or revoke the consent given (so-called opt-out), we sometimes provide links in this privacy policy. These are labeled "Opt-Out".
Users must register on our website to use s.a.m health. At s.a.m health, tests for infectious diseases (HIV infection, syphilis, chlamydia infection and gonorrhea/ gonorrhea) are performed, in which users take the sample material themselves and send it to a laboratory. The laboratory analyzes the sample material for the relevant pathogens (HIV, Treponema palladium, Chlamydia, Gonococcus) and transmits the results to the s.a.m health online platform. The laboratory only knows a code, but not the name or other data that could be used to identify the user.
In the course of registration and ordering s.a.m health test kits, we process the following categories of data:
Personal data (e.g. name, address, date of birth, gender)
Communication data (e.g. mobile phone number, e-mail address)
Contract data (contractual relationship, product or contractual interest)
Communication history, correspondence
Contract billing and payment data
In addition, we process the following special categories of personal data:
Information on sexual preference and sexual behavior
Medical history data
Test results related to sexually transmitted diseases
During registration, we ask health-related questions that we use for anonymous statistical evaluation of the use of s.a.m health as well as for individual counseling, for example, to determine whether a send-in test by taking samples at home is at all useful or whether a visit to the doctor would be better, e.g. because of existing symptoms. Before processing, we obtain consent from the user for the processing of health data in accordance with Art. 9 (1) a) DSGVO.
We have the mobile phone number provided during registration confirmed by sending a code (double opt-in) to prevent misuse of the registration function. For this purpose, we also process the date and time and the IP address of the user. For verification purposes, we also process the date, time and IP address of the user in the event of confirmation. We use the mobile phone number to inform the user by text message when a new test kit is available or should be ordered. We also use the mobile phone number to contact the user by SMS.
If an s.a.m health test kit is ordered, the user can send the sample material to the laboratory cooperating with us. The laboratory transmits the test results to the s.a.m health online platform via an interface. The personal data of our users are not known to the laboratory, since the sample sent by the user is only provided with an identification number, which is only linked to the user's data in the online platform after the test results have been transmitted by the laboratory. The laboratory itself has no access to the online platform.
Social Fund Criteria
In April 2022, a fund was set up to provide the s.a.m health test kit at a reduced price to people who do not have the financial means for the test kit. The criteria that entitle the user to access a subsidized test kit are requested during the consultation and recorded in the online platform. The social fund criteria are only recorded for users* who wish to access a discounted test kit from the social fund. The legal basis is Art. 6 para. 1 UAbs. 1 letter a) DSGVO.
Data sharing
Data will not be passed on to third parties. The sample material sent in by the user is tested by a laboratory cooperating with us. According to § 6 of the Infection Protection Act (IfSG), a confirmed HIV diagnosis must be reported. The laboratory, which has no access to personal data, performs a confirmatory test on a reactive sample and reports the diagnosis to s.a.m health. A doctor from the German Aids Federation then reports this infection to the Robert Koch Institute in pseudonymized form without mentioning the name of the person concerned. The legal basis for the processing is Art. 6 para. 1 UAbs. 1 lit. c) DSGVO.
Deletion of data
We store personal data for as long as necessary to fulfill the purpose for which it was collected or as required by law. Health-related data collected when conducting home tests will be deleted in accordance with Section 630 f (3) of the German Civil Code (BGB) upon expiration of ten years after the last test kit was purchased. If processing is based on consent, which is the case with test results, the data will also be deleted if consent is revoked and it is not required for the assertion, exercise or defense of legal claims. Tax-relevant data is deleted upon expiration of the statutory period of ten years.
Legal basis
The legal basis for the processing is Art. 6 para. 1 UAbs. 1 letter a) DSGVO, insofar as we obtain the consent of the user. If the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, it is based on Art. 6 para. 1 UAbs. 1 letter b) DSGVO. If processing is necessary for compliance with a legal obligation to which Deutsche Aidshilfe is subject, Art. 6 para. 1 UAbs. 1 lit. c) is the legal basis. Otherwise, the legal basis is Art. 6 para. 1 UAbs. 1 lit. f) DSGVO. Our legitimate interest is to enable users* to access our offer requiring registration, to protect ourselves against misuse of the registration function and to be able to prove proper registration. After the deletion of the account, our legitimate interest also consists in the defense against possible claims.
The legal basis for the processing of special categories of personal data, in particular test results, is the consent of the users pursuant to Article 9 (2) (a) of the GDPR. If the processing is necessary for the assertion, exercise or defense of legal claims, the processing is based on Art. 9 (2) (f) DSGVO.
Joint responsibility
When registering, users can select the local s.a.m checkpoint with which they would like to have an initial consultation. It is possible to make an appointment for the initial consultation on site or for a telephone consultation. In addition to the German Aids Federation, the respective s.a.m checkpoint also has access to the data processed in connection with the registration, as well as to the correspondence and test results. Thus, the checkpoint selected by the user is jointly responsible with us for the processing of personal data stored on the s.a.m. online platform. A list of s.a.m. checkpoints is available here: https://samhealth.de/en/about/get-in-touch
In order to allocate responsibility under data protection law, we have concluded an agreement with the respective s.a.m checkpoint in accordance with Art. 26 DSGVO. In this agreement, we have agreed that Deutsche Aidshilfe e.V. is responsible for providing information.
Essentially, it was agreed that Deutsche Aidshilfe e.V., as the project sponsor of s.a.m health, would technically provide and manage the website and online platform through which orders for test kits are processed. In addition to the data provided when registering via the website, the online platform also stores the test results of the samples sent to the laboratory. The respective s.a.m checkpoint acts as a testing and counseling center and can access the data provided via the online platform for the users it supports and their test results. It informs users about test results, ensures counseling and, if necessary, referral to health care.
In the event of contacting us, the user's details, date and time will be stored for the purpose of processing the request, including any queries.
The legal basis for data processing is Art. 6 para. 1 UAbs. 1 letter f) DSGVO. Our legitimate interest is to respond to the requests of our users. Additional legal basis is Art. 6 para. 1 UAbs. 1 lit. b) DSGVO, if the data processing takes place in the context of a contractual relationship or is necessary for the implementation of pre-contractual measures.
The data is deleted as soon as the request, including any queries, has been answered, i.e. it can no longer be assumed that the conversation will continue. We check this every two years.
When ordering a test kit, we process the payment data provided, such as name, bank details or credit card data, to process the payment. We only pass on payment data to our payment service providers if this is necessary to process the payment.
Payment data will be deleted as soon as they are no longer required for processing or reversing the payment (e.g. due to a revocation or withdrawal from the contract) and there are no legal retention obligations. In the event that the user stores his/her payment data for a repeat order in his/her user account, the data will be deleted together with this data.
The legal basis for the processing of payment data is Art. 6 para. 1 UAbs. 1 letter b) DSGVO. If the user stores his/her payment data in a user account, the legal basis is Art. 6 para. 1 UAbs. 1 letter a) DSGVO. Otherwise, the processing is based on Art. 6 (1) (1) (f) DSGVO. Our legitimate interest is the processing of repayments.
Payment processing is carried out by Stripe Payments Europe Ltd, C/O A & L Goodbody, Ifsc, North Wall Quay Dublin D01 H104, Ireland.
The parent company Stripe Inc. is certified under the EU-US Privacy Shield. The company has thus undertaken to comply with a catalog of data protection principles and guarantees an appropriate level of data protection.
Stripe privacy policy: https://stripe.com/de/privacy
We shorten links with Rebrandly. Provider is Radiate Capital Ltd, 31 Westland Square, Dublin 2, Ireland.
With Rebrandly, we can shorten longer links to just a few characters. When the user clicks on such a link, the company processes on our behalf, in addition to the IP address and the clicked link, from which page the user comes.
The use of Rebrandly is based on the legal basis of Art. 6 para. 1 UAbs. 1 letter f) DSGVO. Our legitimate interest is to improve the user experience of our website and our content.
We use Google Analytics for statistical analysis of the use of our website, to improve the content and quality, and for marketing purposes. The provider of Google Analytics is Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, with whom we have concluded an order processing agreement.
In order to be able to track the user's activities on the website, a cookie is set on the end device. We use Google Analytics with the extension "anonymize IP". The IP address of the user is automatically shortened before it is transmitted to servers in the USA. Among other things, the approximate geographical location, terminal device, screen resolution, browser and pages visited, including the length of stay, are evaluated.
Insofar as we obtain the consent of the user, the processing of data is based on the legal basis of Art. 6 para. 1 subpara. 1 letter a) DSGVO. Otherwise, it is based on Art. 6 para. 1 UAbs. 1 letter f) DSGVO. Legitimate interests on our part are statistical analysis, improvement of our website and marketing.
The data collected by Google Analytics is automatically deleted after 14 months.
The parent company Google LLC is certified under the EU-US Privacy Shield. The company has thus undertaken to comply with a catalog of data protection principles and guarantees an appropriate level of data protection.
In order to display maps, we use Google Maps, a service of Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. It is technically necessary to transfer the IP address of the user to Google. In addition, the company sets various cookies to identify the user and play personalized advertising.
Insofar as we obtain the consent of the user, the processing of data is based on the legal basis of Art. 6 para. 1 subpara. 1 letter a) DSGVO. Otherwise, it is based on Art. 6 para. 1 UAbs. 1 letter f) DSGVO. Our legitimate interest is the user-friendly design of our website.
The parent company Google LLC is certified under the EU-US Privacy Shield. The company has thus undertaken to comply with a catalog of data protection principles and guarantees an appropriate level of data protection.
We have entered into a shared responsibility agreement with Google.
To improve the speed of our website, we use Google Fonts, a service of Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. It is technically necessary to transfer the IP address of the user to Google.
The use of Google Fonts is based on the legal basis of Art. 6 para. 1 UAbs. 1 letter f) DSGVO. Legitimate interests on our part are the reduction of loading times and a uniform presentation across devices.
The parent company Google LLC is certified under the EU-US Privacy Shield. The company has thus undertaken to comply with a catalog of data protection principles and guarantees an appropriate level of data protection.
We use Segment.io for statistical analysis of the use of our website. The provider is Segment.io, 100 California St Suite 700, San Francisco, CA 94111, USA.
Segment.io simplifies the analysis of data by providing an interface. Through it, we can merge and share data that we collect through other services mentioned in this Privacy Policy. Segment.io also makes it easier for us to add new services to our website and remove services that are no longer needed. The user's IP address is transmitted to Segment.io when a script is executed by the service. The IP address is only stored in abbreviated form.
The legal basis for the processing is Art. 6 para. 1 UAbs. 1 letter f) DSGVO. Our legitimate interest is to improve our website and content.
Segment.io is certified under the EU-US Privacy Shield. The company has thus undertaken to comply with a catalog of data protection principles and guarantees an appropriate level of data protection.
To improve the quality of S.A.M. we use SurveyMonkey. The provider is SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland.
With SurveyMonkey we have the possibility to ask the users of our offer about their experiences. To do this, they receive an SMS with a link that they can use to take part in a survey. The data provided as part of the survey is stored anonymously, so that it is no longer possible to draw conclusions about an individual person. The opinion data is retained so that it can be used further for the evaluation of opinion surveys.
The legal basis for the processing is the consent of the user according to Art. 6 para. 1 UAbs. 1 letter a) DSGVO.
The parent company Surveymonkey Inc. is certified under the EU-US Privacy Shield. The company has thus undertaken to comply with a catalog of data protection principles and ensures an appropriate level of data protection.
For registration with s.a.m health, we provide a secure authentication and information process. For this purpose, we use an interface (API) from Twilio, through which we can send SMS. The provider is Twilio Inc, 645 Harrison Street, Third Floor, San Francisco, CA 94107, USA. However, we only send SMS messages with the consent of the users.
The legal basis for the processing is the consent of the users according to Art. 6 para. 1 UAbs. 1 letter a) DSGVO.
Twilio is certified under the EU-US Privacy Shield. The company has thus undertaken to comply with a catalog of data protection principles and guarantees an appropriate level of data protection.
If personal data is processed by the user, he/she is a data subject within the meaning of the GDPR. Data subjects are entitled to the following rights:
Right to confirmation: The data subject has the right to obtain confirmation as to whether personal data concerning him or her are being processed. Right of access: If personal data are processed, the data subject has the right to obtain, free of charge, information and a copy of the personal data undergoing processing.
Right to rectification: The data subject has the right to request that inaccurate or incomplete personal data be corrected without undue delay.
Right to erasure: The data subject has the right to request immediate erasure of personal data concerning him or her in accordance with the law.
Right to restriction of processing: The data subject has the right to request restriction of the processing of personal data concerning him or her in accordance with the law.
Right to data portability: The data subject has the right to obtain the personal data concerning him or her in a structured, commonly used and machine-readable format or to request that it be transferred to another controller.
Right to object: The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(a)(e) or (f) of the GDPR; this shall also apply to any profiling based on these provisions. If personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; this also applies to profiling where it is related to such direct marketing.
Right of withdrawal: The data subject has the right to withdraw his or her given consent at any time.
Right to lodge a complaint: The data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data concerning him or her infringes data protection law.
Privacy policy status: April 15, 2022