Summary of the data protection concept
Summary of the data protection concept
This policy regulates data protection compliant information processing and the corresponding responsibilities at Novogenia GmbH. All employees are required to comply with this policy.
Definitions of terms
- personal data: Individual details about personal or factual circumstances of a natural person (concerned party). Examples: Last name, first name, birthday, address data, order data, e-mail content.
- special personal data: Information on racial and/or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life.
- responsible party: is any person or entity that collects, processes or uses personal data for themselves or has others do so on behalf of them.
Name and contact details of the corporate data protection officer:
External data protection officer
Irrsdorfer Bachstrasse 48
Scope of application
The responsible company Novogenia GmbH acts as a service provider for external doctors, nutritionists, sales persons, private persons and companies. Novogenia guarantees compliance with the data protection policy for those areas that are within the control of Novogenia. This includes everything from received samples and ordering details to sending the reports in the desired (digital or printed) form. Compliance with data protection prior to receipt of the data and samples at Novogenia, as well as after sending the reports by digital means or by post or courier, are outside the scope of Novogenia and are not monitored and controlled by Novogenia. For information on data protection arrangements prior to receipt of the sample by the laboratory, please contact your representative who is responsible for this sector. In the case of digital transmission to an e-mail address, contact your e-mail provider to inform yourself about the privacy precautions. In case you would like printed reports, these documents will be handed over to the printing company Books on Demand, printed and sent by post or courier. For information about their respective data protection policy, contact the appropriate company.
By submitting your sample, you accept the fact that Novogenia is liable for data protection only for its own area and that Novogenia passes on the documents and data to the relevant distribution points on your behalf.
During the order process, the customer and distributor enter a contractual agreement with us. Distributor contract: By giving his signature, the distributor accepts our terms and conditions, our data protection clause and enters into a contract with us. Customer contract: By giving his signature, the customer accepts our terms and conditions, our data protection clause and enters into a contract with us.
Use of the data
- Recording of the order process
- Direct invoicing or via third parties
- Evaluation, in order to make health-related statements and evaluations
- Comparison with scientific databases
- Creation of personalized:
- Treatment recommendations
- Dietary recommendations
- Prevention programs
- Gifts, vouchers and advertising material
- Improvement of customer service by ensuring access to:
- the order history
- the recommendations
- the programs
- the customer protection management
- direct advertising and contact
- on a personal basis
- by telephone
- Evaluation for:
- research purposes
- market research
- population genetics
Obligation of data secrecy
Every employee who receives access to personal data and special personal data has committed in advance in written form to comply with the data protection policy and has completed extensive training and instruction with regards to data protection practices. The company records participation and completion of such trainings.
Access restriction and logging
The access of employees to sensitive data is restricted by various systems and is logged. The following measures ensure this:
- Computers are password protected
- Every employee gets a personal login, which:
- only allows access to data that is necessary for this employee
- is protected by two factor authentication password
- employs SSL-encrypted data transmission
- logs which data is processed by this employee
- regularly requests to change the password
- Referrers, representatives and associated companies will only receive access to personally identifiable information about the customers they've referred. This access is password protected.
- Download of analysis reports: the download of analysis reports in password-protected digital platforms is limited in time and deactivated after the defined expiry, which is typically three months. Thereafter, the download of the document is no longer possible, but can be reactivated at the request of the referrer, representative, the associated companies or the end customer for a limited time period.
The data processing procedure
The following processes and procedures are established for data processing:
- Opening of the sent sample packages by data protection-trained personnel
- Physical identification of samples and duplicate samples by a unique barcode
- Marking of the analysis form (if submitted in printed form) by the same barcode
- Registration of the barcode in the system and digitization of possibly handwritten forms and data by data protection-trained personnel. The data obtained from this is stored under this order barcode.
- Access to this sensitive data is regulated and logged by computer passwords and limited user accounts.
- The barcode-anonymized samples are forwarded to the laboratory and processed there based on the analysis order, yet only under the barcode identifier. Laboratory staff know only the barcode identifier and not the identity of the customer at this time.
- Evaluation of the raw genetic data by two independent trained employees
- Release of the evaluation of the raw genetic data and import of the results into the corresponding customer file.
DNA Plus – Zentrum für Humangenetik GmbH
- Interpretation of raw genetic data under incorporation of personal data pertaining to health aspects
- Creation of personalized analysis reports and programs based on this data in digital form
- Upon request: Upload to the user login to make the digital report available to either the end customer or the representative and associated companies
Genome Plus GmbH
- Acceptance of orders for the creation of (genetically) personalized products
- Creation of the manufacturing order and printing of the corresponding product labels by data protection-trained personnel
- Creation of the personalized product according to order by data protection-trained personnel
- Packaging and shipping of personalized products by courier or post
Who gets access to the data?
Individuals and companies actively working with the data
Authorized and data protection-trained employees of the following corporation are subject to confidentiality and have access to the data:
PLEASE NOTE: These 3 companies are part of the Novogenia Group of companies with the same CEO and staff operating in all 3 companies. The data protection system encompasses these 3 companies equally.
- Novogenia GmbH, Strass 19, 5301 Eugendorf, Austria (Laboratory)
- DNA Plus – Zentrum für Humangenetik GmbH, Strass 19, 5301 Eugendorf, Austria (Interpretation)
- Genome Plus GmbH, Strass 19, 5301 Eugendorf, Austria (Personalized Product Manufacture)
- AWS - Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226 (Ist ISO 28001, 27017, 27018 and PCI-DSS certified, https://aws.amazon.com/compliance/data-privacy-faq/ ), Serverlocation Virginia, USA
Companies to whom we would transmit the data by your request for printing and postage
In addition, as part of the processing, parts of the data may potentially be made accessible by employees of external companies at the request of the customer or distributors.
- Only upon request by the customer: Printing and sending of reports: Books on Demand GmbH, In de Tarpen 42, 22848 Norderstedt, Germany (https://www.bod.de/bod-datenschutz.html)
- Employees of courier and postal services transporting sealed packages.
Representatives and referrers
How long is the data stored?
The data will be deleted at the request of the customer no later than 3 months after completion of the analysis/order or otherwise stored in compliance with the data protection policy for 10 years. (Recommendation by the
Deletion of data
You have the right to have your personal data deleted and limit the forwarding of all or some of your data. Due to the process, we are unable to manage and process only part of your data based on the agreement in the corporate group. That is why we offer you the legally compliant storage of your data. Alternatively, you have the option of having all your data deleted.
Certain data, such as invoices, are subject to retention and may not be deleted. These are digitally secured and only after the required period of 7 years can they be deleted upon request.
A proof of identity is required to verify your identity.
Deletion of data
The following data can be deleted on request:
- Health-related data
- Lifestyle-related data
- Genetic data
The following data can not be deleted due to the legal storage obligation
- Invoice data
- Order data
- Billing address and name
- Anonymized scientific knowledge gained from the data
Right to access your stored data
You have the right to access all data stored about you. Please complete the following form, enclose a copy of the ID card as proof of your identity and send it by mail or electronically to:
You will then receive the data stored about you within the statutory deadline.
Please note: In some cases, more genetic raw data than required about you is available for the ordered reports due to technological reasons. These other raw genetic data will ONLY be evaluated and interpreted if you order this. By requesting the data stored about you, you will not receive any further analysis reports or evaluations.
A proof of identity is required to verify your identity.
Your additional rights
If you feel that our service violates your data privacy, you have the right to file a complaint against us with the relevant data protection authority.
Direct advertisement and initiation of contact for marketing purposes
You have the right to inform us at any time that you do not wish to be contacted by us for direct advertisement or marketing purposes.
Transmission of personal data via email or online contact forms
Should you send us personal and sensitive information via email or contact forms or similar systems, you give us the permission to save this data for extended periods. This right can be retracted upon written request.
This website uses Google Analytics, a web analysis service of Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA), in order to evaluate how visitors are using the site. Google Analytics uses so called „Cookies“ - text files which are stored on your device. The information collected by Cookies are usually transmitted to a Google server in the USA and stored there.
IP anonymization is activated on this website. The IP address of users within the member states of the EU and the European Economic Area are only used in shortened form. This reduction eliminates the personal reference to your IP address. As part of the contract data agreement concluded between the website operators and Google Inc., Google uses the collected information to evaluate the use of the website and website activity as well as to provide services related to internet use.
You have the option of preventing the storage of cookies on your device by making the appropriate settings in your browser. If your browser does not allow cookies there is no guarantee that you will be able to access all functions of this website without restrictions.
Furthermore, you can use a browser plug-in to prevent the information collected by cookies (including your IP address) from being sent to Google Inc. and used by Google Inc. The following link leads you to the corresponding plugin: httpss://tools.google.com/dlpage/gaoptout?hl=en
You can find further information on data usage by Google Inc. under following link: httpss://support.google.com/analytics/answer/6004245?hl=en
Data protection regulations
„personal data” means any information regarding an identified or identifiable individual (“data subject”); an identifiable individual is a person that can be identified, directly or indirectly mainly by reference to an identification element such as name, identification number, localization data, an online identifier or one or more specific elements in relation to its physical, physiological, genetic, psychic, economic, cultural or social identity;
„genetic data” means any personal data regarding the genetic traits of an individual that have been inherited or acquired and which provide unique information on the physiology or health condition of the person in question and mainly arise following an analysis of a sample of biologic material collected from the individual in question;
„data on health condition” means any personal data in relation to the physical or mental health condition of an individual including the provision of medical services, that disclose information on the health condition of such individual;
„processing” means any operation or set of operations conducted regarding personal data or sets of personal data with or without using automated means such as the collection, registration, organization, structuring, storage, adaptation or amendment, extraction, consultation, use, disclosure by transmission, dissemination or by making available in any other way, aligning or combining, restricting, deleting or destroying;
Any other words or expressions used in this Agreement will have the meaning provided in Law No. 677/2001 and starting May 25th, 2018 will have the meaning provided in EU Regulation 2016/679 of the European Parliament and Council dated April 27th, 2016 on the protection of individuals in terms of personal data processing and the free movement of such data and repealing Directive 95/46/EC (“GDPR”).
Scope of the agreement
Considering the capacity of both Parties as medical services providers and the legal ground of the processing of personal data belonging to data subjects namely Art. 6 para. 1 letter b) and c) and Art. 9 para. 1 letter h) of the GDPR, both Parties establish the purpose and the means of processing certain data belonging to data subjects. Among the personal data that the Parties might process without any limitation to such, there are the following: [name and surname, date of birth, address, phone number, email address, medical data, genetic data]. Data subjects the personal data of which is being processed are the Parties patients.
Consequently, considering the provisions of Art. 26 of the GDPR, during performance of the Contract dated August 14th, 2013 (“Contract”), the Parties have capacity as “associated operators” and intend, by this Agreement, to regulate responsibilities corresponding to such in this capacity, for defending the legitimate interests of the data subjects and securing the rights of such provided at Art. 15-22 of the GDPR. This Agreement shall be enforced on all service deliveries between the Parties based on the Contract, until its express revocation by the Parties or until termination of the Contract as well as further to such in relation to any obligations that would subsist in the Parties’ charge afterwards. Any provisions in the Contract that are not explicitly or implicitly amended by this Agreement shall remain entirely valid and applicable.
Duties of the associated operators
Each Party will ensure that:
- Personal data of the data subjects is processed only in compliance with the legal provisions and will ensure the data protection principles are complied with and will only process the data which is strictly necessary for the fulfilment of the obligations undertaken towards the data subject only for the purpose for which such was made available only after prior notification and according to the legal provisions (Art. 13 or 14 of the GDPR), of the data subjects and only for the period required to fulfil the purposes of the processing;
- Personal data is correct and up - to - date;
- It will obtain the consent of the data subject for any processing imposed by the legal provisions unless there is another legal ground of the processing;
- It shall enforce all appropriate technical and organizational measures for the protection of personal data against unauthorized or unlawful processing and against accidental loss, destruction, deterioration, change or disclosure including the use of pseudonyms and encryption of personal data as applicable, as well as the measures provided at Article 32(1) of the GDPR. In order to establish an appropriate data security level, each Party will take into consideration the current state of technology, the implementation costs and the nature, field of application, context and purpose of the processing, according to own records held as per Art. 30 of the GDPR as well as the risk of diversity and severity of rights and freedoms of the data subjects and the risks that the processing poses mainly in terms of security incidents;
- In case of email correspondence, personal data will be included in an attached document to be encrypted and password protected prior to being sent or otherwise safe and secure business to business data transfer platforms will be used;
- It will ensure that only the persons in the own staff which are authorized to have access to the personal data will be authorized to have access to such data and only to the data needed by such to fulfil their work duties by implementing and observing the types of access such need and only for the performance of the obligations undertaken towards the data subjects and according to the contract between the Parties;
- It will ensure that all personnel that has access to personal data is informed in terms of the confidential nature of personal data, it complies with the obligations provided herein and took upon the confidentiality provision or is subject to professional or legal confidentiality obligations;
- Such will be mutually informed in terms of specific requirements to comply in order to ensure the processing is compliant with the legal provisions and with the requests of data subjects;
- Considering that data subjects can exercise their rights towards each Party, such will be mutually informed on any requests coming from data subjects and which would also be incidental upon the processing made by the other Party and will support each other with available information in order to settle such requests;
- Each Party will respond to requests coming from data subjects in terms of own data processing and will notify the data subject on the essence of this agreement;
- To the extent there are any inconsistencies or conflicts on which the Party has the obligation to respond to data subjects in order to avoid any prejudice to the rights and interests of the data subjects, the Parties will discuss and establish depending on the request received, the right exercised and the data subjects and the other elements of the processing, the Party in capacity as operator for such processing by mentioning this in a protocol signed by both Parties:
- To inform each other with regard to any request for any disclosure of personal data by a regulatory authority (including any Supervisory Authority) and in any way prior to any disclosure (except for the case when and to the extent in which it is expressly prohibited by the Supervisory Authority or by the Applicable Law);
- To mutually support each other and reasonably cooperate in good faith so as to ensure that the rights of data subjects are observed;
- To promptly take note of any security incident in order to ensure observance by the Party in charge with the notification, of the legal 72 hours term, to the extent in which such is liable to have an impact and a connection with the data processing performed by the other Party;
- To ensure that any subcontractor complies with the same obligations in compliance with this section and that all proceedings will be carried out in order to ensure that the subcontractors can provide the adequate level of protection required by applicable laws in terms of data protection and if such are located in countries outside the EEA, any transfer will be made based on appropriate guarantees.
- Irrespective of all the other provisions in this Agreement, in relation to any deeds which implies processing of personal data, performed by the Beneficiary for the exclusive benefit of the Provider, Beneficiary shall act as a data processor and the Provider shall act as a data controller. Consequently, in relation to such deeds, the Beneficiary shall act based on the Provider’s documented instructions, only for the purpose of performing the serviced under the Contract, shall perform only those processing operations necessary for such performance and only for the term of the Contract, provided that there are other legal grounds which entitle the Beneficiary to process the personal data for extensive periods of time. In all such cases, the Beneficiary shall have all the obligations provided by article 28 of GDPR and the Provider shall have all its obligations under GDPR and which belong to controllers, including, but not limited to, the proper information of the data subjects with respect to the processing of their personal data, the processing of such personal data based on the proper legal ground and with the implementation of adequate security technical and organizational measures.
- The obligations undertaken by the Parties based on this Agreement shall be supplemented with the applicable legal provisions, each Party being liable for and exempting the other Party from liability for any breach of such provisions as a result of its own fault and for any prejudice experienced by the other Party as a result of such fault.
- Considering that the GDPR becomes applicable starting May 25th, 2018, the Parties agree to propose and conclude an addendum to this Agreement following any amendment or decision of a competent authority and which such deems reasonably necessary in terms of meeting the requirements in any personal data protection Law.