CoronaCheck app and printed corona admission ticket Privacy Statement
About CoronaCheck and the printed corona admission ticket
The CoronaCheck app is a technical tool that enables you to show digital proof of a recent negative test for COVID-19. Alternatively, you can generate a corona admission ticket at coronacheck.nl and print off as a hard copy. When this privacy statement refers to the website coronacheck.nl, it’s specifically intended to refer to the option on coronacheck.nl to generate a corona admission ticket. The corona admission ticket is proof that someone has tested negative for COVID-19 and has temporary validity. This proof is one of the prerequisites for accessing specific events and facilities as outlined in the Temporary Corona Admission Tickets Law. Following is a brief outline of how to generate a corona admission ticket in the CoronaCheck app and how to generate a printed corona admission ticket. The following description covers more than the actual processing of personal data that takes place within the CoronaCheck app and on coronacheck.nl and has been included in this privacy statement to give insight into the end-to-end process.
If you visit an event or facility, you first take a corona test with an affiliated test provider. You will receive the test results from the test provider. Along with your test results, you will receive a code. You then have 2 options to generate your corona admission ticket. We describe both options: (1) generating a corona admission ticket via the CoronaCheck app (digital corona admission ticket) and (2) generating a corona admission ticket to print off as a hard copy (printed corona admission ticket).
CoronaCheck (digital corona admission ticket)
You can download the CoronaCheck app on your mobile phone from the Apple App Store or Google Play Store. When the app is installed, it will connect to a configuration server to retrieve the latest settings. You then receive an explanation of how the app works. You can enter the code you have received with your test results into the CoronaCheck app. If a test result is available, you will receive an additional verification code via SMS. Enter this code in your CoronaCheck app. After checking both codes, the CoronaCheck app will retrieve your negative test results from the corresponding test provider. You can convert these test results into a corona admission ticket by pressing the ‘Make QR’ button. The test results are then digitally signed by a so-called signing service. After signing, the CoronaCheck app creates a corona admission ticket in the form of a QR code. Your identifying data is part of this QR code in order to prevent fraud when presenting QR codes to a scanner. The identifying data includes your first name initial, your last name initial, your day of birth and your month of birth. To combat fraud, the scanner checks if these details are in correspondence with your proof of identity.
Printed corona admission ticket
To display a printed corona admission ticket, you can generate a corona admission ticket at coronacheck.nl by entering the retrieval code you have received with your test results. You then receive an additional verification code via SMS, that you also enter on the website. After checking both codes, the same process is initiated as when generating a digital corona admission ticket: the test results are retrieved from and signed by the test provider. After signing by the signing service, a QR code is generated which serves as your corona admission ticket. Your identifying data is both part of this QR code and included underneath the QR code. You can print the corona admission ticket off as a hard copy.
To get access to certain locations or activities, you have your QR code (in the app or on paper) scanned at the entrance. The scanner at the entrance uses the CoronaCheck Scanner app to scan your QR code. Do you have a valid QR code as well as an admission ticket? Then you’re welcome to enter.
The QR code is valid for 40 hours (both digital and on paper). This is calculated from the time of taking the COVID-19 test.
1. Who is responsible for processing personal information?
The Minister of Health, Welfare and Sport (hereinafter: ‘the Minister’) is responsible for the processing of personal information in the CoronaCheck app and the website coronacheck.nl (to the extent that the website is used to generate a corona admission ticket). The Minister is not responsible for any other processing of personal information that takes place outside the app or the website coronacheck.nl (to the extent that the website is used to generate a corona admission ticket).
2. Grounds for processing of personal information
Under Article 9 of the GDPR, in principle a processing prohibition applies to personal information relating to a person’s health. On 1 June 2021, the Temporary Corona Admission Tickets Law came into effect. This law provides the legal grounds for the processing responsibility of the Ministry of Health, Welfare and Sport for the processing of personal information by test providers when generating a corona admission ticket and is therefore an exception to this processing prohibition.
The Temporary Corona Admission Tickets Law also provides the grounds for the processing of non-special personal information under Article 6, first paragraph, section E of the GDPR.
The Temporary Corona Admission Tickets Law specifies the types of activities and facilities for which a corona admission ticket can be required: cultural activities, events, organised youth activities, hospitality or sports. Additional regulation may stipulate that corona admission tickets can also be used for vocational or higher education.
The Temporary Corona Admission Tickets Law stipulates that a test provider provides information with which a digital or printed corona admission ticket can be generated.
The corona admission ticket is scanned with the CoronaCheck Scanner app, the grounds for which are also outlined in the Temporary Corona Admission Tickets Law. No personal data is saved in the CoronaCheck Scanner app. Additional regulations stipulate that scanners who scan the corona admission ticket under the Temporary Corona Admission Tickets Law are required to check the proof of identity of the person presenting the corona admission ticket.
3. For what purpose is personal information processed?
The government is working hard to open society in a responsible manner. Testing visitors for the COVID-19 virus before participating in or getting access to an activity or facility is part of this. Such access tests allow social, cultural and sports locations to be opened responsibly and quicker during times of COVID-19. Showing a negative test result gives visitors access to these types of venues. The CoronaCheck app allows visitors to show digital proof of their corona admission ticket, allowing them access to these locations. Visitors can also generate a corona admission ticket on the website coronacheck.nl to print off as a hard copy without having to use the CoronaCheck app.
4. Which personal information is processed?
The CoronaCheck app and coronacheck.nl process the following personal information:
- The test results of your COVID-19 test
- The first letter of your first name
- The first letter of your last name
- Your day and month of birth
- An IP address
Test results – The test results that the CoronaCheck app or coronacheck.nl retrieves from the test provider contain information about the test: whether or not it is a negative test, the date and time the test was taken, the type of test (e.g. PCR test), test provider identification and a unique random number. This unique random number is provided by the test provider and is not related to a person. These random numbers are assigned to be able to avoid double issuance of corona admission tickets.
The following information is provided by the test provider: the first letter of your first name, the first letter of your last name, your day and month of birth. This information is used for verification when the test results are retrieved. This proves that the test results that have been retrieved are yours. This information is not displayed to the CoronaCheck Scanner app when your QR code is scanned to access a location.
Corona admission ticket – The corona admission ticket (in the form of a QR code) contains the information included in the test results: first name initial, last name initial, day of birth and month of birth as well as the start date and time of the validity of the corona admission ticket (rounded to the nearest hour). The first name initial, last name initial, day of birth and month of birth are also included in a separate line underneath the QR code.
Digital signature – This is placed to ensure the corona admission ticket cannot be modified. Within the process, the digital signature in itself is not personal information as such, but signing a test result is necessary to generate a valid corona admission ticket.
The IP address is also used. This is inherent to the use of internet and IP technology and is a technical requirement to establish a connection between the test provider’s processor’s server and your phone. The IP address is only processed for management and security purposes. The IP address is ‘stripped’ by the processor before receipt by the signing configuration server (when using the CoronaCheck app) and signing service.
The corona admission ticket (both digital and printed) is scanned by the CoronaCheck Scanner app. This shows if a person has a negative and valid corona admission ticket. The scanner also checks if the identifying data on the digital or printed corona admission ticket (first name initial, last name initial, day of birth and month of birth) matches the person’s proof of identity. The CoronaCheck Scanner app does not process any personal data.
Finally, when using a digital corona admission ticket, the device information is processed (the installed version of the CoronaCheck app and the operating system of your mobile phone). This is recorded to able to investigate issues and installation possibilities and inform persons about this.
5. Statistical information
The data collected with the CoronaCheck app and coronacheck.nl is used exclusively for the stated purposes in this privacy statement.
6. Who can access the data?
The digital signing of the corona admission ticket is done by Prolocation B.V. as the test provider’s processor. The test provider will make the appropriate agreements with Prolocation B.V. about the processing of personal data.
7. How long is personal data retained?
Within the CoronaCheck app and at coronacheck.nl, personal information is kept as follows:
- You can generate a digital corona admission ticket in the CoronaCheck app. The corona admission ticket is valid for maximum 40 hours, calculated from the time the test was taken. After the corona admission ticket has expired, the corona admission ticket and QR code are automatically deleted when opening the app.
- You can generate a corona admission ticket via coronacheck.nl to print off as a hard copy of your corona admission ticket. The QR code (including identifying data) is deleted when you close the browser containing the QR code. If you don’t close the browser manually, the QR code in the browser will automatically disappear after 40 hours.
- The IP address processed for management and security purposes by Prolocation B.V. is deleted after maximum 7 days.
- The CoronaCheck Scanner app does not save any personal information.
8. Your rights with regard to personal data
To control your personal data, you have a number of rights. You can find these here on the website of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The CoronaCheck app and the website coronacheck.nl are designed on the principle of privacy by design and the protection of your personal information when using the CoronaCheck app is paramount. It’s possible to invoke one of your privacy rights with regard to the use of the CoronaCheck app. You can submit such a request to firstname.lastname@example.org.
9. Complaints about the use of your data
For questions or complaints about the use of the CoronaCheck app, please contact email@example.com.
The contact details for the Data Protection Officer of the Ministry of Health, Welfare and Sport are available on the website of the Ministry.
At all times you have the right to submit a complaint about the processing of your personal information to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or to the court. You can find more information on the website of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (Dutch).
10. Security of your personal data
The Minister is concerned with the protection of your personal data and has taken appropriate technical and organisational measures when establishing the CoronaCheck app and CoronaCheck Scanner app to prevent misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes of and to the processed data.
11. Security of your personal data
This privacy statement is subject to change. In case of any changes, we will publish the amended privacy statement on our website, after which the amended privacy statement will take effect immediately. Last updated on 3 June 2021.