CoronaCheck app and printed EU Digital COVID Certificate Privacy Statement
This privacy statement has been written for the use of the CoronaCheck application and the coronacheck.nl website as of April 25, 2022 and explains how personal data of individuals who generate and use an EU Digital COVID Certificate are processed and what measures have been taken to protect this personal data.
If you want to travel to another country within Europe you may have to proof you have tested negative, or have been vaccinated, or have already had coronavirus once before. The certificate that was being used within the Netherlands, in the form of a QR code, is called the coronavirus entry pass. For travels within Europe, you need an EU Digital Covid Certificate (we’re calling it an EU DCC which is also in the form of a QR code). You can have the EU DCC made via an app on your phone and save them there (CoronaCheck app) or you can have the certificate made and print it via the website www.coronacheck.nl. The coronavirus entry pass is no longer being used or created. The coronavirus entry passes created in the CoronaCheck app and their data were automatically removed from the CoronaCheck app as of 25 April 2022. The physical (paper) coronavirus entry pass is no longer valid and you can destroy it yourself.
The Minister of Health, Welfare, and Sport (VWS) is responsible for creating a certificate via the CoronaCheck app or the coronacheck.nl website. To create a certificate, personal data must be processed. This privacy statement explains what personal data is involved, on what basis it is processed, what your rights are and what you can do if you disagree with the processing.
1. What personal data is processed?
To create an EU DCC, we use data about your health: test results, vaccination records, and recovery statements. We also use data that tells us something about who you are, so we can retrieve the right information and verify whether the certificate is truly yours. If you request a certificate via the CoronaCheck app or the coronacheck.nl website, we need the following information:
- Social security number (BSN)
- First name and last name
- Date of birth
In addition to the above information, the following information is required, which varies depending on the certificate you want to retrieve:
- If you want a certificate based on a negative test; a recent negative test result and the type of test;
- If you want a certificate based on a vaccination; if you’ve been vaccinated, using what vaccine, and possibly a positive test result in the past (so that, in case of vaccinations that normally consist of two injections, a full vaccination certificate can be issued after only one injection if you had coronavirus prior to your vaccination;
- If you want a certificate based on recovery; a positive test result that shows you had coronavirus in the past.
Because the app and website use an internet connection, your IP address will also be processed. This is inherent to the use of internet and IP technology and is necessary to technically establish a connection between the test performer’s or vaccinator’s server and your phone or browser. The IP address is processed for management and security purposes only.
If you’ve been tested at a test provider other than a GGD, your BSN will not be processed, but the unique retrieval code and verification code provided to you by the test provider will be used.
In addition, other data is retrieved that cannot be traced back to you directly. If you want to know exactly what other data is processed, click here. There you will find an overview of the data collected and processed to create the EU DCC and a description of which data is actually included in the QR code you have to show if you want to travel to another country within Europe.
Upon issue of an EU DCC, a unique certificate code of your EU DCC will be generated. If we are issuing a physical EU DCC, a unique pairing code is also included. You can use it to convert the physical EU DCC back to a digital EU DCC.
2. Where does my data come from?
Information about your test, vaccination and/or recovery is provided by the care provider who tested or vaccinated you. Data for a certificate or recovery is provided by the GGDs. This data is requested through two ways, in which data is also received:
- When you’re tested by another test provider than your regional GGD, the data is requested via the unique retrieval code and verification code you received from the test provider. In this case, you may retrieve your data by entering this unique retrieval code and verification code in the CoronaCheck app or on the coronacheck.nl website.
- When retrieving information about vaccination or recovery or a negative test carried out by a GGD or a care provider at the hospital, you log in using your DigiD to identify yourself. By logging in, the Minister of VWS will receive your BSN and can, based on your BSN, retrieve your first name, last name, and date of birth from the Personal Records Database. Using this combined information, the Minister will request your data from parties who may have your information about your vaccination, recovery, and test (like the GGDs, the RIVM, the hospital where you have been vaccinated, and your general practitioner). Information about your recovery is based on a positive test in the past, which the test provider who tested you has had to report to the local GGD.
If you request your data in the CoronaCheck app or via the coronacheck.nl website, you will be shown which information is retrieved and where it is coming from.
If you only have a physical certificate on paper that you received from your healthcare provider or via the helpdesk at the CIBG, then it is possible to scan your paper certificate via the CoronaCheck app. You can scan the QR code of your physical certificate using your smartphone camera. This information will then be used to create a digital EU DCC. We need your permission to use your smartphone camera. The CoronaCheck app will ask you for this.
3. Why do we process this data (purpose of processing)
We gather this data to be able to create an EU DCC for you. You may use it to travel to countries within Europe that require an EU DCC to enter.
The purpose of this intended data processing is to facilitate the free movement of persons, as normally applicable within the EU (and EEA), during the COVID-19 pandemic and to prevent people with an increased risk of infection from entering member states. This is done through the issuing, verification, and acceptance of interoperable vaccination, test, and recovery (EU DCC) certificates.
4. What is the basis for this data processing?
The Minister of VWS is required by law to create an EU DCC for someone who requests one if they meet the requirements. Of course, they need to be vaccinated or possess a valid test result.
The General Data Protection Regulation (GDPR) lists six possible bases for processing personal data (Article 6 (1) AVG). One of these is a legal duty that rests with the controller (in this case the Minister of Health, Welfare, and Sport). The basis for processing your data is based on Article 6 (1) (e) of the GDPR: a task of general interest. In addition, data concerning your health may be processed on the basis of Article 9 (2) (g) of the GDPR. Since this is a certificate for travel within the EU (EEA) the basis must be found in European law.
Basis of European law
On June 14, 2021, the Regulation (EU) 2021/953 of the European Parliament and the Council regarding a framework for the issuing, verification, and acceptance of interoperable COVID-19 vaccination, test, and recovery certificates (digital EU-COVID certificate) to facilitate free movement during the COVID-19 pandemic was published (hereinafter: the regulation).
The regulation provides a European (technical) framework for the issuing of interoperable certificates on COVID-19 vaccination, testing, and recovery with the aim of facilitating the free movement of persons (Article 21, TFEU). The EU DCC is issued under the regulation (Article 3, second paragraph of the regulation) and mandates the Minister of Health (or his designee) to issue the EU DCC in digital or paper form. Because the Regulation works directly and the need to process data in the context of the task imposed is evident, it is not necessary to include a separate processing basis in the act. In article 10, sixth paragraph of the regulation, the person responsible for the issuing is designated responsible for data processing. The Minister of Health, Welfare, and Sport is therefore the data processor for the issuing of the EU DCC.
Basis in national law
The Temporary act on coronavirus passes regulates the use of passes with the aim of reopening Dutch society. Article 58re (4) states that the Minister of Health, Welfare and Sport is responsible for the set-up and management of the applications and takes measures to ensure that the applications only show reliable results. In article 58re (5), the Minister of Health, Welfare and Sport is designated responsible for data processing. The basis for processing the data required for this purpose is provided in the draft legislation Change of the Public Health Act in connection with some improvements and clarifications of the temporary rules on the use of coronavirus passes in the fight against COVID-19. Article 58re (6) provides the basis for the Minister to process personal data, including personal data on health. In the Ministerial regulation amending the temporary regulation on COVID-19 Measures in connection with the use of coronavirus entry passes, Article 6.31 regulates which personal data may be processed.
5. Who is responsible for data processing?
The Minister of Health, Welfare, and Sport (hereinafter: the Minister) is responsible for processing personal information in the CoronaCheck app and the coronacheck.nl website.
The Minister’s processors:
- Prolocation B.V. manages the configuration server and back-end systems of VWS and the signing servers used by VWS.
- Webhelp Nederland B.V. provides the necessary helpdesk services. The helpdesk serves as a point of information and supports citizens if they get stuck in the operation of the CoronaCheck app. They also provide explanations and referrals if citizens find that the retrieved data is incomplete or incorrect.
6. How long do we store your information?
Only data saved in the CoronaCheck app itself or printed on the paper certificate will be kept. Of course, for the paper certificate, you decide how long to keep the data. This is also the case with the CoronaCheck app: if you delete the app that data will also be deleted. Otherwise, the data will be stored according to the following periods:
- Negative test results: 96 hours after date and time of test administration until maximum of 14 days;
- Positive test results: 1 year (for a recovery certificate, but if it is part of a vaccination certificate, up until 3 years after your most recent vaccination);
- Vaccination data: 3 years after the vaccination date (please be aware that in some cases a positive test result can be part of your vaccination data)
- Recovery data: 180 days after the date and time of test administration;
- A unique serial number of your EU DCC and a code of the data source will be saved for two years.
- In case we provide you with a physical EU DCC, the associated pairing code will be saved for one year after the issue.
Your social security number will not be stored. Your IP address will not be stored for more than seven days.
7. With whom will your information be shared?
If you show your certificate to the person checking your certificate in another member state when you enter, they can read the data contained in the QR code. The controller is not allowed to store this data. They can only check at that moment whether you have a valid EU DCC.
If you show the EU DCC in another country, the controller in that other country will see all the data included in the QR code of the EU DCC. Click here for an overview of that data.
Please do note that if you have your QR code scanned in another country outside of the EU, other rules for protecting your personal data may apply. And that you cannot exercise all the rights over there that you have within the EU, because within the EU the GDPR applies.
8. Is there automated decision-making?
Yes, if you request your EU DCC via the coronacheck.nl website or the CoronaCheck app, this process is handled completely automatically. If you get stuck as a result and you do meet the requirements, there are several options for getting an EU DCC. First of all, there is a page with answers to the most frequently asked questions. If you do not find an answer to your question there, you can contact the helpdesk via: email@example.com. They can help you if you are stuck because the technology is not working properly. For example, the system may indicate that you do not have enough data to create a certificate, but you are sure that this is not the case. The helpdesk can then support you in finding a solution. For example, it may be that the care provider who tested or vaccinated you did not store the data correctly. You can then have this adjusted through the care provider.
In addition, a route has been developed via a care provider portal. You can then contact the person who vaccinated or tested you and you can still receive an EU DCC via that route.
9. What are your rights?
You have several rights to control your personal information. You can find these on the website of the Dutch Data Protection Authority (Dutch).
As indicated earlier, both the CoronaCheck app and the coronacheck.nl website show which data is collected to create your certificate so that you can view it. In the CoronaCheck app, you can always find which data is contained in the QR code of your EU DCC. If your details are incorrect, you can contact the healthcare provider who tested or vaccinated you. You can delete your data yourself, the data is only stored in your CoronaCheck app, so if you delete it, your data will be deleted as well. You can decide for yourself whether you want to destroy the paper proof that you have printed. Within the coronacheck.nl website, no data is stored to create your certificate and thus cannot be deleted.
The option to invoke one of your privacy rights regarding the use of CoronaCheck and coronacheck.nl remains in effect. You can submit such a request via firstname.lastname@example.org.
10. Report complains about the use of your data?
For questions or complaints about the use of the CoronaCheck app or the coronacheck.nl website please contact the helpdesk: email@example.com.
Contact details of the Data Protection Officer of the Ministry of Health, Welfare, and Sport can be found on the Ministry’s website.
You can always submit a complaint about the processing of your personal data to the Dutch Data Protection Authority or a judge. More information about this can be found on the website of the Dutch Data Protection Authority. Contact details of the Dutch Data Protection Authority can be found here.
11. Security of your personal data
The Minister takes the protection of your personal data seriously and has taken appropriate technical and organizational measures in the creation of the CoronaCheck app and the coronacheck.nl website to prevent misuse, loss, unauthorized access, unwanted disclosure, and unauthorized alteration of the processed data.
12. Changing privacy statement
This privacy statement is subject to change. In such cases, we will post the amended privacy statement on our website, after which this privacy statement will be effective immediately. Last update: April 25, 2022.
Overview of processed personal data
Personal data that is processed when issuing an EU DCC:
- An IP address used by the involved person when creating a certificate
- The social security number of the involved person
- The involved person’s first and last name
- Organisation from which vaccination or recovery data has been retrieved
- In case of a test or recovery certificate:
- Unique test code
- Type of test
- Name of test
- Date and time of test administration
- Date and time of determination of test result
- Pathogen that has been tested for
- Test producer
- Test center name
- Result of the test (negative for test certificate, positive for statement of recovery)
- Only in case of a certificate of vaccination:
- Date(s) of administration
- Unique vaccination code
- Pathogen against which the vaccine works
- Type of vaccine
- Name of vaccine
- Marketing authorisation holder or manufacturer of the vaccine
- Sequence number in series of vaccinations/doses
Personal data stored in the QR code you show to controllers:
Personal data included in the EU DCC (QR code) regardless of the type (test, vaccination or recovery certificate):
- Name: family name(s) and first name(s) and possibly suffix
- Date of birth
- Target disease or pathogen (for example: SARS-CoV-2 and/or variants thereof)
- Unique certificate identification code
- Member state where test/vaccination has been carried out or proof of recovery has been obtained
- Issuer of the EU DCC, which is VWS for the Netherlands
The QR-code for the EU DCC as test certificate contains, in addition to general data:
- Registered date and time of test administration
- Type of test
- Name of test (optional for NAAT (PCR) test)
- Name of test producer (optional for NAAT (PCR) test)
- Test result
- Test center or facility (optional for rapid antigen test)
The QR code for the EU DCC as proof of vaccination in addition to the general data:
- Vaccine/prophylaxis (type of vaccine, e.g. mRNA vaccine or antigenic vaccine)
- Vaccine name
- Marketing authorisation holder or vaccine producer
- Sequence number in a series of vaccinations/doses
- Date of vaccination, including date of last dose received
The QR code for the EU DCC as repair evidence contains, in addition to the general data, the following data:
- Date first positive test result
- Date from which date the certificate is valid
- Date until which certificate is valid