CoronaCheck app and printed EU Digital COVID Certificate Privacy Statement

This privacy statement has been written for the use of the CoronaCheck application and the coronacheck.nl website as of February 2023 and explains how personal data of individuals who generate and use an EU Digital COVID Certificate are processed and what measures have been taken to protect this personal data.

For travels within Europe, you need an EU Digital Covid Certificate (we call it the EU DCC, which also takes the form of a QR code). With this certificate you can prove that you have tested negative, have been vaccinated, or have recovered from coronavirus. You can create the EU DCC via an app and save it there (CoronaCheck app) or you can create the certificate via the website www.coronacheck.nl and print it.

The Minister of Health, Welfare, and Sport (VWS) is responsible for creating a certificate via the CoronaCheck app or the coronacheck.nl website. To create a certificate, personal data must be processed.

This privacy statement explains what personal data is involved, on what legal basis it is processed, what your rights are, and what you can do if you disagree with the processing.

1. What personal data is processed?

To create an EU DCC, we use data about your health: test results, vaccination records, and recovery statements. We also use data that tells us something about who you are, so we can retrieve the right information and verify whether the certificate is truly yours. If you request a certificate via the CoronaCheck app or the coronacheck.nl website, we need the following information:

• Social security number (BSN)
• First name and last name
• Date of birth

In addition to the above information, the following information is required, which varies depending on the certificate you want to retrieve:

• If you want a certificate based on a negative test:
  • a recent negative test result and the type of test;
• If you want a certificate based on a vaccination:
  • a confirmation that you’ve been vaccinated using what vaccine, and possibly a positive test result from the past (so that, in case of vaccinations that normally consist of two injections, a full vaccination certificate can be issued after only one injection if you had coronavirus prior to your vaccination);
• If you want a certificate based on recovery:
  • a recent positive test result that shows you had coronavirus in the past.

Because the CoronaCheck app and coronacheck.nl website use an internet connection, your IP address will also be processed. This is inherent to the use of internet and IP technology and is necessary to establish a technical connection between the test or vaccination performer’s server and your phone or browser. The IP address is also processed for management and security purposes.

If you’ve been tested at a test provider other than a GGD, VWS will not process your BSN, but the unique retrieval code and verification code provided to you by the test provider will be used.

In addition, other data is retrieved that cannot be traced back to you directly. If you want to know exactly what other data is processed, click here. There you will find an overview of the data collected and processed to create the EU DCC and a description of which data is actually included in the QR code you have to show if you want to travel to another country within Europe.

Upon issue of an EU DCC, a unique certificate code of your EU DCC will be generated. If we are issuing a physical EU DCC, a unique pairing code is also included. You can use it to convert the physical EU DCC back to a digital EU DCC.

2. Where does my data come from?

Information about your test, vaccination and/or recovery is provided by the care provider who tested or vaccinated you. Data for a certificate or recovery is provided by the GGDs. This data can be requested in two ways, which also include the processing of personal data:

1. When you’re tested by another test provider than your regional GGD, the data is requested via the unique retrieval code and verification code you received from the test provider. In this case, you may retrieve your data by entering this unique retrieval code and verification code in the CoronaCheck app or on the coronacheck.nl website.
2. When retrieving information about vaccination or recovery or a negative test carried out by a GGD or a care provider at the hospital, log in using your DigiD to identify yourself. By logging in, VWS will receive your BSN and can verify your first name, last name, and date of birth based on your BSN by checking the Personal Records Database Using this combined information, the Minister will request your data from parties who may have your information about your vaccination, recovery, and test (like the GGDs, the RIVM, the hospital where you have been vaccinated, and your general practitioner). Information about your recovery is based on a positive test in the past, which the test provider who tested you has had to report to the local GGD.

If you retrieve your data using the CoronaCheck app or via the coronacheck.nl website, you will be shown which information is retrieved and where it came from.

If you only have a physical certificate on paper that you received from your healthcare provider or via the helpdesk at the CIBG, then it is possible to scan your paper certificate via the CoronaCheck app. You can scan the QR code of your physical certificate using your smartphone camera. This information will then be used to create a digital EU DCC.

3. Why we process personal data (purpose of processing)

We gather this data to be able to create an EU DCC for you.

The purpose of this intended data processing is to facilitate the free movement of persons, as normally applicable within the European Economic Area (EEA), during the COVID-19 pandemic and to prevent people with an increased risk of infection from entering member states.

We process personal data to be able to create an EU DCC for you. You may use it to travel to countries within Europe that require an EU DCC to enter. A number of non-EEA countries and areas have joined the EU DCC system as well.

4. What is the basis for this data processing?

The Minister of VWS is required by law to create an EU DCC for someone who requests one if they meet the requirements. They need to be vaccinated or possess a valid test result or recovery certificate.

The General Data Protection Regulation (GDPR) lists six possible bases for processing personal data (Article 6 (1) AVG). The basis for processing your data is based on Article 6 (1) (e) of the GDPR: a task of general interest. Data concerning your health may be processed on the basis of Article 6 (1) (e) in conjunction with Article 9 (2) (b) of the GDPR. Since this is a certificate for travel within the EEA the basis must be found in European law (see Regulation 2021/953/EU and Temporary Decision DCC).

Basis of European law

On June 14, 2021, the Regulation (EU) 2021/953 of the European Parliament and the Council regarding a framework for the issuing, verification, and acceptance of interoperable COVID-19 vaccination, test, and recovery certificates (digital EU-COVID certificate) to facilitate free movement during the COVID-19 pandemic was published (hereinafter: the regulation).

The regulation provides a European (technical) framework for the issuing of interoperable certificates on COVID-19 vaccination, testing, and recovery with the aim of facilitating the free movement of persons (Article 21, TFEU). The EU DCC is issued under the regulation (Article 3, second paragraph of the regulation). The Minister of Health (or his designee) is responsible for issuing the EU DCC in digital or paper form. In article 10, sixth paragraph of the regulation, the person responsible for the issuing is designated responsible for data processing. The Minister of Health, Welfare, and Sport is therefore the data processor for the issuing of the EU DCC.

5. Who is responsible for data processing and who are the processors?

The Minister of Health, Welfare, and Sport (hereinafter: the Minister) is responsible for processing personal information in the CoronaCheck app and the coronacheck.nl website.

The Minister’s processors:

• Prolocation B.V. manages the configuration server and back-end systems of VWS and the signing servers used by VWS.
• Yource Operations B.V. provides the necessary helpdesk services. The helpdesk serves as a point of information and supports citizens if they get stuck in the operation of the CoronaCheck app. They also provide explanations and referrals if citizens find that the retrieved data is incomplete or incorrect.

6. How long do we store your information?

Only data saved in the CoronaCheck app itself or printed on the paper certificate will be kept. Of course, for the paper certificate, you decide how long to keep the data. This is also the case with the CoronaCheck app: if you delete the app that data will also be deleted. Otherwise, the data will be stored according to the following periods:

• Negative test results: 96 hours after date and time of test administration until maximum of 14 days;
• Positive test results: 1 year (for a recovery certificate, but if it is part of a vaccination certificate, up until 3 years after your most recent vaccination);
• Vaccination data: 3 years after the vaccination date (please be aware that in some cases a positive test result can be part of your vaccination data)
• Recovery data: 180 days after the date and time of test administration;
• A unique serial number of your EU DCC and a code of the data source will be saved for two years.
• In case we provide you with a physical EU DCC, the associated pairing code will be saved for one year after the issue.

Your social security number will not be stored by VWS. Your IP address will not be stored for more than seven days.

7. With whom will your information be shared?

If you show your certificate to the person checking your certificate in another member state when you enter, they can read the data contained in the QR code. The controller is not allowed to store this data. They can only check at that moment whether you have a valid EU DCC.

If you show the EU DCC in another country, the controller in that other country will see all the data included in the QR code of the EU DCC. Click here for an overview of that data.

Please do note that if you have your QR code scanned in another country outside of the EEA, other rules for protecting your personal data may apply. Moreover, you cannot exercise all the rights over there that you have within the EEA, because outside of the EEA the GDPR does not apply.

8. Is there automated decision-making?

Yes, if you request your EU DCC via the coronacheck.nl website or the CoronaCheck app, this process is handled completely automatically. If you get stuck as a result and you do meet the requirements, there are several options for getting an EU DCC. First of all, there is a page with answers to the most frequently asked questions. If you do not find an answer to your question there, you can contact the helpdesk via: helpdesk@coronacheck.nl. They can help you if you are stuck because the technology is not working properly. For example, the system may indicate that you do not have enough data to create a certificate, but you are sure that this is not the case. The helpdesk can then support you in finding a solution. For example, it may be that the care provider who tested or vaccinated you did not store the data correctly. You can then have this adjusted through the care provider.

In addition, a route has been developed via a care provider portal. You can then contact the person who vaccinated or tested you and you can still receive an EU DCC via that route.

9. What are your rights?

You have several rights to control your personal information. You can find these on the website of the Dutch Data Protection Authority (Dutch).

As indicated earlier, both the CoronaCheck app and the coronacheck.nl website show which data is collected to create your certificate so that you can view it. In the CoronaCheck app, you can always find which data is contained in the QR code of your EU DCC. If your details are incorrect, you can contact the healthcare provider who tested or vaccinated you. You can delete your data yourself. The data is only stored in your CoronaCheck app, so if you delete the app, your data will be deleted as well. You can decide for yourself whether you want to destroy the paper proof that you have printed. Within the coronacheck.nl website, no data is stored to create your certificate.

The option to invoke one of the rights you have regarding the processing of your personal data in CoronaCheck and on coronacheck.nl remains in effect. You can submit such a request via helpdesk@coronacheck.nl.

10. Report complaints about the use of your data?

For questions or complaints about the use of the CoronaCheck app or the coronacheck.nl website please contact the helpdesk: helpdesk@coronacheck.nl.

Contact details of the Data Protection Officer of the Ministry of Health, Welfare, and Sport can be found on the Ministry’s website.

If your complaint has not been resolved to your satisfaction, you can always submit a complaint about the processing of your personal data to the Dutch Data Protection Authority. More information about this can be found on the website of the Dutch Data Protection Authority. Contact details of the Dutch Data Protection Authority can be found here.

11. Security of your personal data

The government takes the protection of your personal data seriously and has taken appropriate technical and organizational measures in the creation of the CoronaCheck app and the coronacheck.nl website to prevent misuse, loss, unauthorized access, unwanted disclosure, and unauthorized alteration of the processed data.

12. Changing privacy statement

This privacy statement is subject to change. In such cases, we will post the amended privacy statement on our website, after which this privacy statement will be effective immediately. Last update: February 2023.

Overview of processed personal data

Personal data that is processed when issuing an EU DCC:

• An IP address used by the involved person when creating a certificate
• The social security number of the involved person
• The involved person’s first and last name
• Organisation from which vaccination or recovery data has been retrieved
• In case of a test or recovery certificate:
  • Unique test code
  • Type of test
  • Name of test
  • Date and time of test administration
  • Date and time of determination of test result
  • Pathogen that has been tested for
  • Test producer
  • Test center name
  • Result of the test (negative for test certificate, positive for statement of recovery)
• Only in case of a certificate of vaccination:
  • Date(s) of administration
  • Unique vaccination code
  • Pathogen against which the vaccine works
  • Type of vaccine
  • Name of vaccine
  • Marketing authorisation holder or manufacturer of the vaccine
  • Sequence number in series of vaccinations/doses

Personal data stored in the QR code you show to controllers:

EU DCC

Personal data included in the EU DCC (QR code) regardless of the type (test, vaccination or recovery certificate):

• Name: family name(s) and first name(s) and possibly suffix
• Date of birth
• Target disease or pathogen (for example: SARS-CoV-2 and/or variants thereof)
• Unique certificate identification code
• Member state where test/vaccination has been carried out or proof of recovery has been obtained
• Issuer of the EU DCC, which is VWS for the Netherlands

The QR-code for the EU DCC as test certificate contains, in addition to general data:

• Registered date and time of test administration
• Type of test
• Name of test (optional for NAAT (PCR) test)
• Name of test producer (optional for NAAT (PCR) test)
• Test result
• Test center or facility (optional for rapid antigen test)

The QR code for the EU DCC as proof of vaccination in addition to the general data:

• Vaccine/prophylaxis (type of vaccine, e.g. mRNA vaccine or antigenic vaccine)
• Vaccine name
• Marketing authorisation holder or vaccine producer
• Sequence number in a series of vaccinations/doses
• Date of vaccination, including date of last dose received

The QR code for the EU DCC as repair evidence contains, in addition to the general data, the following data:

• Date first positive test result
• Date from which date the certificate is valid
• Date until which certificate is valid