Frequently asked questions
Language: English
Switch language:

CoronaCheck app and printed EU Digital COVID Certificate Privacy Statement

This privacy statement has been written for the use of the CoronaCheck application and the coronacheck.nl website as of February 2023 and explains how personal data of individuals who generate and use an EU Digital COVID Certificate are processed and what measures have been taken to protect this personal data.

For travels within Europe, you need an EU Digital Covid Certificate (we call it the EU DCC, which also takes the form of a QR code). With this certificate you can prove that you have tested negative, have been vaccinated, or have recovered from coronavirus. You can create the EU DCC via an app and save it there (CoronaCheck app) or you can create the certificate via the website www.coronacheck.nl and print it.

The Minister of Health, Welfare, and Sport (VWS) is responsible for creating a certificate via the CoronaCheck app or the coronacheck.nl website. To create a certificate, personal data must be processed.

This privacy statement explains what personal data is involved, on what legal basis it is processed, what your rights are, and what you can do if you disagree with the processing.

1. What personal data is processed?

To create an EU DCC, we use data about your health: test results, vaccination records, and recovery statements. We also use data that tells us something about who you are, so we can retrieve the right information and verify whether the certificate is truly yours. If you request a certificate via the CoronaCheck app or the coronacheck.nl website, we need the following information:

In addition to the above information, the following information is required, which varies depending on the certificate you want to retrieve:

Because the CoronaCheck app and coronacheck.nl website use an internet connection, your IP address will also be processed. This is inherent to the use of internet and IP technology and is necessary to establish a technical connection between the test or vaccination performer’s server and your phone or browser. The IP address is also processed for management and security purposes.

If you’ve been tested at a test provider other than a GGD, VWS will not process your BSN, but the unique retrieval code and verification code provided to you by the test provider will be used.

In addition, other data is retrieved that cannot be traced back to you directly. If you want to know exactly what other data is processed, click here. There you will find an overview of the data collected and processed to create the EU DCC and a description of which data is actually included in the QR code you have to show if you want to travel to another country within Europe.

Upon issue of an EU DCC, a unique certificate code of your EU DCC will be generated. If we are issuing a physical EU DCC, a unique pairing code is also included. You can use it to convert the physical EU DCC back to a digital EU DCC.

2. Where does my data come from?

Information about your test, vaccination and/or recovery is provided by the care provider who tested or vaccinated you. Data for a certificate or recovery is provided by the GGDs. This data can be requested in two ways, which also include the processing of personal data:

  1. When you’re tested by another test provider than your regional GGD, the data is requested via the unique retrieval code and verification code you received from the test provider. In this case, you may retrieve your data by entering this unique retrieval code and verification code in the CoronaCheck app or on the coronacheck.nl website.
  2. When retrieving information about vaccination or recovery or a negative test carried out by a GGD or a care provider at the hospital, log in using your DigiD to identify yourself. By logging in, VWS will receive your BSN and can verify your first name, last name, and date of birth based on your BSN by checking the Personal Records Database Using this combined information, the Minister will request your data from parties who may have your information about your vaccination, recovery, and test (like the GGDs, the RIVM, the hospital where you have been vaccinated, and your general practitioner). Information about your recovery is based on a positive test in the past, which the test provider who tested you has had to report to the local GGD.

If you retrieve your data using the CoronaCheck app or via the coronacheck.nl website, you will be shown which information is retrieved and where it came from.

If you only have a physical certificate on paper that you received from your healthcare provider or via the helpdesk at the CIBG, then it is possible to scan your paper certificate via the CoronaCheck app. You can scan the QR code of your physical certificate using your smartphone camera. This information will then be used to create a digital EU DCC.

3. Why we process personal data (purpose of processing)

We gather this data to be able to create an EU DCC for you.

The purpose of this intended data processing is to facilitate the free movement of persons, as normally applicable within the European Economic Area (EEA), during the COVID-19 pandemic and to prevent people with an increased risk of infection from entering member states.

We process personal data to be able to create an EU DCC for you. You may use it to travel to countries within Europe that require an EU DCC to enter. A number of non-EEA countries and areas have joined the EU DCC system as well.

4. What is the basis for this data processing?

The Minister of VWS is required by law to create an EU DCC for someone who requests one if they meet the requirements. They need to be vaccinated or possess a valid test result or recovery certificate.

The General Data Protection Regulation (GDPR) lists six possible bases for processing personal data (Article 6 (1) AVG). The basis for processing your data is based on Article 6 (1) (e) of the GDPR: a task of general interest. Data concerning your health may be processed on the basis of Article 6 (1) (e) in conjunction with Article 9 (2) (b) of the GDPR. Since this is a certificate for travel within the EEA the basis must be found in European law (see Regulation 2021/953/EU and Temporary Decision DCC).

Basis of European law

On June 14, 2021, the Regulation (EU) 2021/953 of the European Parliament and the Council regarding a framework for the issuing, verification, and acceptance of interoperable COVID-19 vaccination, test, and recovery certificates (digital EU-COVID certificate) to facilitate free movement during the COVID-19 pandemic was published (hereinafter: the regulation).

The regulation provides a European (technical) framework for the issuing of interoperable certificates on COVID-19 vaccination, testing, and recovery with the aim of facilitating the free movement of persons (Article 21, TFEU). The EU DCC is issued under the regulation (Article 3, second paragraph of the regulation). The Minister of Health (or his designee) is responsible for issuing the EU DCC in digital or paper form. In article 10, sixth paragraph of the regulation, the person responsible for the issuing is designated responsible for data processing. The Minister of Health, Welfare, and Sport is therefore the data processor for the issuing of the EU DCC.

5. Who is responsible for data processing and who are the processors?

The Minister of Health, Welfare, and Sport (hereinafter: the Minister) is responsible for processing personal information in the CoronaCheck app and the coronacheck.nl website.

The Minister’s processors:

6. How long do we store your information?

Only data saved in the CoronaCheck app itself or printed on the paper certificate will be kept. Of course, for the paper certificate, you decide how long to keep the data. This is also the case with the CoronaCheck app: if you delete the app that data will also be deleted. Otherwise, the data will be stored according to the following periods:

Your social security number will not be stored by VWS. Your IP address will not be stored for more than seven days.

7. With whom will your information be shared?

If you show your certificate to the person checking your certificate in another member state when you enter, they can read the data contained in the QR code. The controller is not allowed to store this data. They can only check at that moment whether you have a valid EU DCC.

If you show the EU DCC in another country, the controller in that other country will see all the data included in the QR code of the EU DCC. Click here for an overview of that data.

Please do note that if you have your QR code scanned in another country outside of the EEA, other rules for protecting your personal data may apply. Moreover, you cannot exercise all the rights over there that you have within the EEA, because outside of the EEA the GDPR does not apply.

8. Is there automated decision-making?

Yes, if you request your EU DCC via the coronacheck.nl website or the CoronaCheck app, this process is handled completely automatically. If you get stuck as a result and you do meet the requirements, there are several options for getting an EU DCC. First of all, there is a page with answers to the most frequently asked questions. If you do not find an answer to your question there, you can contact the helpdesk via: helpdesk@coronacheck.nl. They can help you if you are stuck because the technology is not working properly. For example, the system may indicate that you do not have enough data to create a certificate, but you are sure that this is not the case. The helpdesk can then support you in finding a solution. For example, it may be that the care provider who tested or vaccinated you did not store the data correctly. You can then have this adjusted through the care provider.

In addition, a route has been developed via a care provider portal. You can then contact the person who vaccinated or tested you and you can still receive an EU DCC via that route.

9. What are your rights?

You have several rights to control your personal information. You can find these on the website of the Dutch Data Protection Authority (Dutch).

As indicated earlier, both the CoronaCheck app and the coronacheck.nl website show which data is collected to create your certificate so that you can view it. In the CoronaCheck app, you can always find which data is contained in the QR code of your EU DCC. If your details are incorrect, you can contact the healthcare provider who tested or vaccinated you. You can delete your data yourself. The data is only stored in your CoronaCheck app, so if you delete the app, your data will be deleted as well. You can decide for yourself whether you want to destroy the paper proof that you have printed. Within the coronacheck.nl website, no data is stored to create your certificate.

The option to invoke one of the rights you have regarding the processing of your personal data in CoronaCheck and on coronacheck.nl remains in effect. You can submit such a request via helpdesk@coronacheck.nl.

10. Report complaints about the use of your data?

For questions or complaints about the use of the CoronaCheck app or the coronacheck.nl website please contact the helpdesk: helpdesk@coronacheck.nl.

Contact details of the Data Protection Officer of the Ministry of Health, Welfare, and Sport can be found on the Ministry’s website.

If your complaint has not been resolved to your satisfaction, you can always submit a complaint about the processing of your personal data to the Dutch Data Protection Authority. More information about this can be found on the website of the Dutch Data Protection Authority. Contact details of the Dutch Data Protection Authority can be found here.

11. Security of your personal data

The government takes the protection of your personal data seriously and has taken appropriate technical and organizational measures in the creation of the CoronaCheck app and the coronacheck.nl website to prevent misuse, loss, unauthorized access, unwanted disclosure, and unauthorized alteration of the processed data.

12. Changing privacy statement

This privacy statement is subject to change. In such cases, we will post the amended privacy statement on our website, after which this privacy statement will be effective immediately. Last update: February 2023.

Overview of processed personal data

Personal data that is processed when issuing an EU DCC:

Personal data stored in the QR code you show to controllers:

EU DCC

Personal data included in the EU DCC (QR code) regardless of the type (test, vaccination or recovery certificate):

The QR-code for the EU DCC as test certificate contains, in addition to general data:

The QR code for the EU DCC as proof of vaccination in addition to the general data:

The QR code for the EU DCC as repair evidence contains, in addition to the general data, the following data: