Handling of responses to freely configurable questions created by Venue Owners

Venue Owners can set up arbitrary additional questions which will then be presented to users during check-in. These questions are

• (a) not obviously marked as additional questions crafted by Venue Owners and
• (b) handled as required so users cannot opt-out of providing information which is not at all legally required.

In addition, it is unclear, how the responses to these questions are handled cryptographically. The Security Concept explicitly states, that Check-in contact data is encrypted. Since these additional questions are added by Venue Owners, it is fair to assume, that the ultimate goal is to give Venue Owners access to the collected information. The check-in form in no way makes this explicitly obvious to users nor does it explicitly ask for consent.

Please provide the missing information:

• How exactly are the responses to these additional questions handled cryptographically?
• Who has access to these responses?
• Has the ability to create freely configurable, arbitrary information requests been part of the supposed DSGVO and DSFA audits?