Data Protection Policy

CeGaT GmbH takes your legitimate concerns about data protection very seriously, and it complies with the requirements of the EU General Data Protection Regulation (GDPR), the German Telemedia Act (Telemediengesetz), and, where pertinent, also the requirements of other applicable data-protection provisions.

CeGaT GmbH treats the data you provide with care and in a conscientious manner. If data of any nature are collected, processed, or used, this always takes place within the scope of statutory provisions or with your express consent.

The protection of privacy is of decisive importance for the future of internet-based business models and for the development of an internet-based economy. With this Data Protection Policy, CeGaT GmbH underscores its commitment to the protection of privacy. In the following, you will learn how CeGaT GmbH treats your personal data.

Changes to this Data Protection Policy will always be announced on this page, such that you will at all times be informed about what data are stored by CeGaT GmbH in connection with the SARS-CoV-2 antibody test and how these data are used.

The controller pursuant to Article 4(7) GDPR is:

CeGaT GmbH
Paul-Ehrlich-Str. 23
72076 Tübingen, Germany |

Commercial Register maintained by the Local Court of Stuttgart HRB 729958

Tel +49 (0)7071 565 44 55
Fax +49 (0)7071 565 44 56

You can reach our CeGaT GmbH data protection officer at:

CeGaT GmbH
Thomas Fletschinger
Email: dsb(at)

What is meant by the processing of personal data?

Personal data (hereinafter, “Data”) mean any information relating to an identified or identifiable natural person who can be identified, directly or indirectly.

Special categories of personal data mean Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Collection and processing of personal data

The following lists when CeGaT GmbH electronically stores and processes personal data in connection with the SARS-CoV-2 antibody test and what Data are involved with this.

Opening of a customer account

When you open a customer account on the CeGaT GmbH website, you consent to the electronic storage of your personal data, such as name, mailing address, email address, and your user data (username, password, IP address). With the customer account, you can order blood collection kits from us, have us perform SARS-CoV-2 antibody tests, and view the results.

Where required by applicable data-protection law, we will moreover request your consent to the further processing of personal data that we collected or that you provided.

Such consent may be withdrawn at any time by sending an email to corona(at) In any event, CeGaT GmbH undertakes to treat all provided personal data in confidence and in accordance with applicable data-protection law.

Ordering an antibody test

Using a customer account

After opening a customer account, you can use it to order SARS-CoV-2 antibody tests from CeGaT GmbH. When placing an order, you consent to the electronic storage and processing of the personal data of your patient or the person being tested. In addition, when placing an order, you declare that the patient or the person being tested has consented to the disclosure of his or her personal data to CeGaT GmbH, as well as to the processing and electronic storage of such data.

Blood collection on site

If blood is to be collected at CeGaT GmbH or by the mobile operations team, then by ordering blood collection and the performance of the SARS-CoV-2 antibody test, you consent to the electronic storage and processing of the personal data collected at the time of blood collection for the purpose of processing the order.

By granting consent when placing an order, CeGaT GmbH may also use the personal data for the purpose of preparing a report on the findings, as well as for invoicing and for sending evidence.

In addition to order processing, CeGaT GmbH may process your personal data for the following purposes:

  • For anonymised statistical analyses
  • For other purposes mandated by statute or regulation
  • In certain cases, we are obligated by statute to transmit Data to a requesting government body (institution or authority). The legal basis for processing is Article 6(1)(c) GDPR and section 24 (2) No. 1 of the German Federal Data Protection Act (BDSG).
  • In some cases, business partners require personal data of our customers. This generally occurs in connection with order fulfilment (e.g. in the case of complaints). This is expressly provided for by statute. In this case as well, CeGaT GmbH remains responsible for the protection of your Data, along with the entity processing the order on our behalf, where applicable. The relevant business partner works pursuant to our instructions, which CeGaT GmbH ensures through strict contractual arrangements.

A subsequent change to the purpose for which your personal data are used is subject to your express consent, unless the change is authorised by applicable legal provisions.

Retrieving findings

If you have registered on our website, you can use your customer account to view the results of the antibody test that you ordered. In addition, every tested person will receive the findings by mail, which are sent by a shipping service.

Data retention

The personal data of the tested person/patient are stored on a server at a certified German computer centre and at CeGaT GmbH. The data stored at the computer centre are retained for three months after order completion and then automatically erased. Thus, it will thereafter no longer be possible to view the test results in your customer account.

You may at any time delete your customer account by using the function provided in the customer account for this purpose.

CeGaT GmbH retains personal data only for as long as required by the purpose or the legal provisions for which they were collected.

Data collection on our website

In the following, we explain which technologies are employed and what type of information is collected with them if you use the CeGaT GmbH website.

What data do we collect and why do we do so?

IP addresses

IP addresses are used to analyse malfunctions, to manage the website, and to obtain demographic information. In addition, we use IP addresses and, where appropriate, other information that you have provided on this website in order to learn which pages are viewed on our website and which topics are of interest to our visitors. We use the knowledge obtained in order to be able to offer you an optimised range of information about our products and services.

CeGaT GmbH collects only data in connection with your visit to the CeGaT website and the web portal. We do not collect any personal data when you visit the websites of other companies or organisations that are not part of CeGaT GmbH.


We use cookies on our website. Cookies are small files that are automatically created by your browser and stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your end device, and they do not contain any viruses, Trojan horses, or other malware. The cookie stores information that relates to the specific end device being used. However, this does not mean that we can use the cookie to obtain direct knowledge of your identity. Cookies enable us to make it more convenient for you to use our website. For instance, we use what are known as session cookies in order to recognise that you have already visited specific pages on our website. These are automatically deleted after you leave our site.

Use of external service providers and disclosure of data

We work with service providers that process certain Data on our behalf. This takes place exclusively in conformity with applicable data-protection law. In particular, we have concluded agreements with our service providers concerning the data processing carried out on our behalf that satisfy the requirements of Article 28 GDPR.

Your personal data are not transmitted to third parties for purposes other than those listed in the following. We disclose your personal data to third parties only:

  1. if you have granted your consent to do so in accordance with Article 6(1)(a) GDPR and section 26 (2) BDSG,
  2. if disclosure in accordance with Article 6(1)(f) GDPR is necessary for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding protected interest in non-disclosure,
  3. in the event that there is a statutory obligation to disclose in accordance with Article 6(1)(c) GDPR, or
  4. if this is permitted by statute and is necessary in accordance with Article 6(1)(b) GDPR and section 26 (1) BDSG for performing a contractual relationship with you or for taking steps at your request prior to entering into a contract.

We do not transmit data to a third country or an international organisation, and other than where provided otherwise below in this Data Protection Policy, we also do not employ any automated decision-making.

Where required, information is disclosed by CeGaT GmbH also to business partners, service providers, third parties, or subcontractors. This may be necessary in order to provide a transaction or service you desire, such as order processing, for the purposes of customer service, or in order to inform you about services or products.

Your personal data are not disclosed, sold, or otherwise made available to third parties for marketing purposes without your prior consent.

CeGaT GmbH may be compelled to disclose your Data and associated information in response to a court order or official directive. Similarly, we reserve the ability to use your Data to establish or defend legal claims.

In the event that we are taken over by or merge with another company, it may be necessary to disclose personal data to actual or potential buyers. In such case, CeGaT GmbH will make an effort to afford the data the highest possible protection.

In conformity with applicable law, we reserve the ability to store and disclose personal and other data for the purpose of exposing and combating illegal acts and fraud attempts or an infringement of the terms of use of CeGaT GmbH.

Data security

  1. In connection with your visit to our website, we use the widespread secure socket layer (SSL) protocol in conjunction with the highest level of encryption supported by your browser. This normally involves 256-bit encryption. If your browser does not support 256-bit encryption, we instead use 128-bit v3 technology. You can tell whether a specific page on our website is being transmitted in encrypted form if the key or lock icon is displayed on the status bar at the bottom of your browser.
  2. In addition, we make use of appropriate technical and organisational security measures in order to protect your Data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised access by third parties. Our security measures are continuously improved in keeping with technological progress.
  3. Moreover, we place an obligation on each of our employees concerning data protection and confidentiality pursuant to the GDPR.

Rights of data subjects

Pursuant to Article 15 GDPR you have the right

  1. to obtain information about your personal data that are processed by us. In particular, you can obtain information about the purposes of the processing, the categories of personal data concerned, the categories of recipients to whom your Data have been or will be disclosed, the envisaged storage period, the existence of the right to rectification, erasure, restriction of processing or to object, the right to lodge a complaint, and the source of your Data where they were not collected by us, as well as information about the existence of automated decision-making and, if applicable, meaningful information about its details;
  2. in accordance with Article 16 GDPR, to obtain without undue delay the rectification of inaccurate personal data and the completion of your incomplete personal data that are stored by us completed;
  3. in accordance with Article 17 GDPR, to obtain the erasure of personal data that are stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims;
  4. in accordance with Article 18 GDPR, to obtain restriction of the processing of your personal data, to the extent that the accuracy of the personal data is contested by you, the processing is unlawful and you oppose their erasure, we no longer need the Data but they are required by you for the establishment, exercise or defence of legal claims, or you have objected to processing pursuant to Article 21 GDPR;
  5. in accordance with Article 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format and to transmit them to another controller;
  6. in accordance with Article 7(3) GDPR, to withdraw at any time the consent you once granted to us. This means that we may henceforth no longer continue the data processing based on that consent; and
  7. in accordance with Article 77 GDPR, to lodge a complaint with a supervisory authority. For this purpose, you can normally contact the supervisory authority competent for your habitual residence or place of work or for the registered office of our company.

The competent supervisory authority for data protection of CeGaT GmbH is:

Baden-Württemberg Aufsichtsbehörde
Der Landesbeauftragte für den Datenschutz Baden-Württemberg
Postfach 10 29 32, 70025 Stuttgart
Urbanstr. 32, 70182 Stuttgart

Tel 0711 615541-0
Fax 0711 615541-15


For asserting the aforementioned rights and for questions concerning data protection, you can contact the controller mentioned above, or send a corresponding email to corona(at)

Right to object

Where your personal data are processed on the basis of legitimate interests pursuant to Article 6(1)(f) GDPR, you have the right pursuant to Article 21 GDPR to object to the processing of your personal data, to the extent that grounds exist that relate to your particular situation or the objection concerns direct marketing. In the latter case, you have a general right to object without having to indicate a particular situation. If you would like to make use of your right to withdraw consent or to object, it suffices to send an email to corona(at) 

Changes to this Data Protection Policy

Owing to current circumstances, such as an amendment to the relevant provisions of data-protection law, we will update this Data Protection Policy where necessary.

Version: 1 February 2022