Privacy policy according to Article 13 GDPR

  1. Controller

Controller for processing of your personal data is:

OPD Drozina d.o.o.

Trg Republike 3

1000 Ljubljana

(optional) Data privacy officer:

  1. Purpose of processing and legal basis

With your consent (Art. 6 para. 1 lit a GDPC ICW Art. 9 para. 2 lit a GDPR), the personal data provided by you will be processed for the purpose of carrying out a COVID-19 test and transmitting findings to or by OPD Drozina d.o.o., These include, in particular, name, gender, address, date of birth, email address, telephone number, time of test acceptance, resulting COVID-19 infection status, social security number and type of sample material.

Your data will be collected and stored by OPD Drozina d.o.o directly from you and (with the exception of the photographs see below) transmitted to a partner laboratory for the purpose of laboratory-medical analysis, where your sample material will be evaluated by qualified specialists. The test results are then transmitted electronically by the laboratory to OPD Drozina d.o.o. for the communication of results.

Participation in COVID-19 testing is voluntary. You will not suffer any disadvantages due to the non-participation.

  1. Identification

If you want to officially present your test result, we need to check your identity. For this we need your ID. The photo recording of your identity document is read out with the help of a software for text recognition and subsequently the contents of the identity document(document number, expiration date, name, etc.) are further processed. In the further course of the application, we create photographs of your person when applying the gurgle test. In addition to the ID, these photos serve to ensure that you (and no one else) apply the gurgle test. By clicking on "AUTHENTICATE" you consent to the processing of your ID data and your photos for the stated purpose (Art. 6 para 1 lit a GDPR ICW Art 9 para 2 lit a GDPR). This consent is voluntary, alternatively you can refuse to verify your identity by selecting "SKIP PROOF". In this case, you will not receive a certificate.

  1. Other data recipients

On the basis of the prevailing statutory reporting obligations, the laboratory reports the result to the competent health authorities.

In principle, your data will not be transmitted by OPD Drozina d.o.o. to any other third parties. Excluded is the transfer to processors who work exclusively on the instructions of OPD Drozina d.o.o., who do not use data for their own purposes and are bound by their own agreements to the data protection obligations under the GDPR. Your data will not be transferred to countries outside the European Union.

  1. Storage period

If you create a user account, your access and master data will be deleted 1 year after your last login, all other data already 14 days after delivery of the result to you.

The partner laboratories are subject to the statutory retention obligations under medical law or otherwise applicable law.

  1. Withdrawal of consent

Please note that the provision of your data is necessary to perform COVID-19 testing. Since participation is voluntary, you will not suffer any disadvantages due to non-participation. You have the right to withdraw your consent(s) at any time without giving reasons, which does not affect the lawfulness of the processing until the withdrawal has taken place. You can revoke your consent to the processing of the photos and identity card data for the determination of identity separately, but please note that we will not be able to issue a certificate in this case. To withdraw your consent, please contact

  1. Your rights

You have a right of access to the personal data we process, to rectification and erasure, to restriction of processing as well as a right to data portability, a right to object and a right to lodge a complaint to the protection authority; all this in accordance with the legal regulations. There is no automated decision-making (including profiling).

For concerns and questions about data protection, please contact our data protection officer at

  1. Operation of your user account and the web app

If you create a user account on our web app, LEAD processes your access data (username and password) for the purpose of setting up and operating this account on the basis of our legitimate interests (Art. 6 (1) (f) GDPR). This data will be deleted 1 year after the last login.

For the operation of the web app, LEAD also processes technical telemetry data such as your IP address, which are necessary for the operation of the web app and the execution of the tests. LEAD also processes this data on the basis of the legitimate interest (Art. 6 (1) (f) GDPR) in a smooth technical operation. This data will also be deleted after 14 days.

If you contact us by e-mail, your personal data such as your e-mail address and e-mail correspondence for the purpose of customer service will be processed on the basis of the legitimate interest (Art. 6 (1) (f) GDPR) in a good customer relationship. This data will be deleted no later than 3 years after the last contact.

The web app uses cookies, whereby only technically necessary cookies are used:

  • lead_horizon_testkit_session - The session cookie is used to recognize you during the duration of your session and is necessary to ensure the functionality of the application. As soon as you close the webapp, the session cookie is automatically deleted.
  • XSRF-TOKEN - supports a security measure to prevent cross-site request forgery or cross-site scripting. This cookie will also be deleted after your session has ended.
  • lh_id_set - encrypted storage of your sample number in the course of retrieving the result. This cookie will also be deleted after your session has ended.
  • lh_local – the cookies peichert your language preference and will be deleted after 1 year at the latest.
  • lh_domain – the cookie speicis the variant of the product you are using and will be deleted after 1 year at the latest.


Data processing by cookies is based on our legitimate interest (Art. 6 (1) (f) GDPR and § 96 (3) telecommunications law) in the provision of a functioning web app.