CoronaCheck app and printed corona admission ticket Privacy Statement
This privacy statement has been written for the use of the applications CoronaCheck and CoronaCheck.nl as of June 24, 2021 and explains how personal data of individuals who generate and use a coronavirus pass or an EU Digital COVID Certificate are processed and what measures have been taken to protect this personal data.
If you want access to for example an event or activities in the Netherlands, or if you want to travel to another country within Europe you may have to proof you have tested negative, or have been vaccinated, or have already had coronavirus once before. The certificate for use within the Netherlands, in the form of a QR code, is called the coronavirus pass. For travels within Europe, you need an EU Digital Covid Certificate (we’re calling it an EU DCC which is also in the form of a QR code). You can have both certificates made via an app on your phone and save them there (CoronaCheck app) or you can have the certificates made and print them via the website www.coronacheck.nl. The Minister of Health, Welfare and Sport (VWS) is responsible for creating the certificates via the app of the website. To create the certificates, personal data must be processed. This privacy statement explains what personal data is involved, on what basis it is processed, what your rights are and what you can do if you disagree with the processing.
1. What personal data is processed?
To create a domestic coronavirus pass and an EU DCC, we use data about your health: test results, vaccination records and recovery statements. We also use data that tells us something about who you are, so we can retrieve the right information and verify whether the certificate is truly yours. If you request a certificate via the app or the website, we need the following information:
- Social security number (BSN)
- First name and last name
- Date of birth
In addition to the above information, the following information is required, which varies depending on the certificate you want to retrieve:
- If you want a certificate based on a negative test; a recent negative test result and the type of test;
- If you want a certificate based on vaccination; if you’ve been vaccinated, using what vaccine;
- If you want a certificate based on recovery; a positive test result that shows you had coronavirus in the past.
Because the app and website use an internet connection, your IP address will also be processed. This is inherent to the use of internet and IP technology and is necessary to technically establish a connection between the test performer’s or vaccinator’s server and your phone or browser. The IP address is processed for management and security purposes only.
If you’ve been tested at a test provider other than the GGD, your BSN will not be processed, but the unique retrieval code and verification code provided to you by the test provider will be used.
In addition, other data is retrieved that cannot be traced back to you directly. If you want to know exactly what other data is processed, click here. There you will find an overview of the data collected and processed to create the coronavirus pass and the EU DCC and a description of which data is actually included in the QR code you have to show at an event or if you want to travel to another country within Europe.
2. Where does my data come from?
Information about your test, vaccination and/or recovery is provided by the care provider who tested or vaccinated you. Data for a certificate or recovery is provided by the GGD. This data is requested through two ways, in which data is also received:
- When you’re tested by another test provider than the GGD, the data is requested via the unique retrieval code and verification code you received from the test provider. In this case you may retrieve your data by entering this unique retrieval code and verification code in the app or on the website.
- When retrieving information about vaccination or recovery or a negative test carried out by the GGD, you log in using your DigiD to identify yourself. By logging in, the Minister of VWS will receive your BSN and can, based on your BSN, retrieve your first name, last name and date of birth from the Personal Records Database. Using this combined information, the Minister will request your data from parties (like the GGD, the RIVM and your general practitioner).
If you request your data in CoronaCheck or via coronacheck.nl, you will be shown which information is retrieved and where it is coming from.
If you only have a physical certificate on paper that you received from your healthcare provider or via the helpdesk at the CIBG, then it is possible to scan your paper certificate via CoronaCheck. You can scan the QR code of your physical certificate (on your EU DCC) using your smartphone camera. This information will then be used to create a digital EU DCC and a digital coronavirus pass. We need your permission to use your smartphone camera. CoronaCheck will ask you for this.
3. Why do we process this data (purpose of processing)
We gather this data to be able to create an EU DCC and a domestic coronavirus pass for you. You may use it to gain entry to certain events and activities in the Netherlands and can travel to countries within Europe that require an EU DCC to enter.
The purpose of this intended data processing is to facilitate the free movement of persons, as normally applicable within the EU (and EEA), during the COVID-19 pandemic and to prevent people with an increased risk of infection from entering member states. This is done through the issuing, verification and acceptance of interoperable vaccination, test and recovery (EU DCC) certificates.
The Netherlands has an interest in allowing non-essential sectors that have so far been subject to most COVID-19 pandemic related restrictions (sports, culture, hospitality) to (partially) reopen. The coronavirus pass can be used for this purpose.
4. What is the basis for this data processing?
The Minister of VWS is required by law to create an EU DCC and domestic coronavirus pass for someone who requests one if they meet the requirements. Of course, they need to be vaccinated or possess a valid test result.
The General Data Protection Regulation (GDPR) lists six possible bases for processing personal data (Article 6 (1) AVG). One of these is a legal duty that rests with the controller (in this case the Minister of Health, Welfare and Sport). The basis for processing your data is based on Article 6 (1) (c) of the GDPR: legal obligation. Because this is proof for both the Netherlands and travel within the EU (EEA), the basis must be found in both national law and European law.
Basis of European law
On June 14, 2021, the Regulation (EU) 2021/953 of the European Parliament and the Council regarding a framework for the issuing, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (digital EU-COVID certificate) in order to facilitate free movement during the COVID-19 pandemic was published (hereinafter: the regulation).
The regulation provides a European (technical) framework for the issuing of interoperable certificates on COVID-19 vaccination, testing and recovery with the aim of facilitating the free movement of persons (Article 21, TFEU). The EU DCC is issued under the regulation (Article 3, second paragraph of the regulation) and mandates the Minister of Health (or his designee) to issue the EU DCC in digital or paper form. Because the Regulation works directly and the need to process data in the context of the task imposed is evident, it is not necessary to include a separate processing basis in the act. In article 10, sixth paragraph of the regulation the person responsible for the issuing is designated responsible for data processing. The Minister of Health, Welfare and Sport is therefore the data processor for the issuing of the EU DCC.
Basis in national law
The Temporary act on coronavirus passes regulates the use of passes with the aim of reopening Dutch society. Article 58re (4) states that the Minister of Health, Welfare and Sport is responsible for the set-up and management of the applications and takes measures to ensure that the applications only show reliable results. In article 58re (5), the Minister of Health, Welfare and Sport is designated responsible for data processing. The basis for processing the data required for this purpose is provided in the draft legislation Change of the Public Health Act in connection with some improvements and clarifications of the temporary rules on the use of coronavirus passes in the fight against COVID-19.
Section 58re (6) provides the basis for the Minister to process personal data, including personal data on health. The Ministerial regulation amending the temporary regulation on COVID-19 Measures in connection with the use of coronavirus certificates on the basis of a negative test result (Article 6.31) and the Ministerial regulation amending the temporary regulation on COVID-19 Measures in connection with the use of coronavirus certificates on the basis of vaccination or recovery certificates (Article 6.31a) regulate which personal data may be processed.
For the provision of vaccination data by the RIVM for the purpose of a domestic coronavirus access pass, the basis is regulated in the draft legislation Change of the Public Health Act in connection with some improvements and clarifications of the temporary rules on the use of coronavirus passes in the fight against COVID-19. The ministerial regulation amending the Temporary Regulation on COVID-19 Measures in connection with the use of corona certificates based on vaccination or recovery (Article 6.31a) regulates which personal data may be processed by the RIVM.
5. Who is responsible for data processing?
The Minister of Health, Welfare and Sport (hereinafter: the Minister) is responsible for processing personal information in CoronaCheck and the website coronacheck.nl.
The Minister’s processors:
- Prolocation B.V. manages the configuration server and back-end systems of VWS and the signing servers (for both the coronavirus pass and EU the DCC) used by VWS.
- Webhelp Nederland B.V. provides the necessary helpdesk services. The helpdesk serves as a point of information and supports citizens if they get stuck in the operation of the app. They also provide explanations and referrals if citizens find that the retrieved data is incomplete or incorrect.
6. How long do we store your information?
Only data saved in the CoronaCheck-app itself or printed on the paper certificate will be kept. Of course, for the paper certificate you decide how long to keep the data. This is also the case with the CoronaCheck-app: if you delete the app that data will also be deleted. Otherwise, the data will be stored according to the following time periods:
- Test results: 96 hours after date and time of test administration
- Vaccination data: one year after vaccination date
- Recovery data: 180 days after date and time of test administration
Your social security number will not be stored. Your IP address will not be stored for more than seven days.
7. With whom will your information be shared?
If you show your certificate to a controller at an event or to the person checking your certificate in another member state when you enter, they can read the data contained in the QR code. The controller is not allowed to store this data. They can only check at that moment whether you have a valid domestic coronavirus pass, or a valid EU DCC and they check whether this card is really yours by comparing the data they see on the CoronaCheck Scanner screen with the data on your identity card.
For checking a coronavirus pass for use in the Netherlands, the Minister of Health has developed the CoronaCheck Scanner app to be used by the controllers. This shows as little data as possible, namely a green screen (valid coronavirus pass) or a red screen (not valid). This means the checker cannot see whether your coronavirus pass is based on a negative test, a vaccination or a positive test (recovery). If a green screen is displayed, the controller will then see the first letter of your first name and first letter of your last name, date of birth and month of birth as to verify it really is your certificate.
You cannot use your EU DCC in the Netherlands. If you do show your EU DCC to the controller in the Netherlands, the controller will be shown a red screen and a message that you need to show your domestic coronavirus pass. This is because the QR code of the EU DCC contains more data than we consider necessary for access in the Netherlands. If you show the EU DCC in another country, the controller in that other country will see all the data included in the QR code of the EU DCC. Click here for an overview of that data.
Please do note that if you have your QR code scanned in another country outside of the EU, other rules for protecting your personal data may apply. And that you cannot exercise all the rights over there that you have within the EU, because within the EU the GDPR applies.
## 8. Is there automated decision-making?
Yes, if you request your coronavirus pass or EU DCC via the website or via the app, this process is handled completely automatically. If you get stuck as a result and you do meet the requirements, there are several options for getting a national coronavirus pass and an EU DCC. First of all, there is a page with answers to the most frequently asked questions. If you do not find an answer to your question there, you can contact the helpdesk via: firstname.lastname@example.org. They can help you if you are stuck because the technology is not working properly. For example, the system may indicate that you do not have enough data to create a certificate, but you are sure that this is not the case. The helpdesk can then support you in finding a solution. For example, it may be that the care provider who tested or vaccinated you did not store the data correctly. You can then have this adjusted through the care provider.
In addition, a route has been developed via a care provider portal. You can then contact the person who vaccinated or tested you and you can still receive a domestic coronavirus pass and an EU DCC via that route.
9. What are your rights?
You have several rights to control your personal information. You can find these on the website of the Dutch Data Protection Authority (Dutch).
As indicated earlier, both the CoronaCheck-app and the website show which data is collected to create your certificate so that you can view it. In the app you can always find which data is contained in the QR code. If your details are incorrect, you can contact the healthcare provider who tested or vaccinated you. You can delete your data yourself, the data is only stored in your app, so if you delete it, your data will be deleted as well. You can decide for yourself whether you want to destroy the paper proof that you have printed. Within the CoronaCheck.nl website no data is stored to create your certificate and thus cannot be deleted.
The option to invoke one of your privacy rights regarding the use of CoronaCheck and CoronaCheck.nl remains in effect. You can submit such a request via email@example.com.
10. Report complains about the use of your data?
For questions or complaints about the use of the CoronaCheck-app, coronacheck.nl or the CoronaCheck scanner app, please contact the helpdesk: firstname.lastname@example.org.
Contact details of the Data Protection Officer of the Ministry of Health, Welfare and Sport can be found on the Ministry’s website.
You can always submit a complaint about the processing of your personal data to the Dutch Data Protection Authority or to a judge. More information about this can be found on the website of the Dutch Data Protection Authority. Contact details of the Dutch Data Protection Authority can be found here.
11. Security of your personal data
The Minister takes protection of your personal data seriously and has taken appropriate technical and organizational measures in the creation of CoronaCheck, coronacheck.nl and CoronaCheck Scanner to prevent misuse, loss, unauthorized access, unwanted disclosure, and unauthorized alteration of the processed data.
12. Changing privacy statement
This privacy statement is subject to change. In such cases, we will post the amended privacy statement on our website, after which this privacy statement will be effective immediately. Last update: August 24th, 2021.
Overview of processed personal data
Personal data that is processed when issuing both an EU DCC and a coronavirus pass:
- An IP address used by the involved person when creating a certificate
- The social security number of the involved person
- The involved person’s first and last name
- Organisation from which vaccination or recovery data has been retrieved
In case of a test or recovery certificate:
- Unique test code
- Type of test
- Name of test
- Date and time of test administration
- Date and time of determination of test result
- Pathogen that has been tested for
- Test producer
- Test center name
- Result of the test (negative for test certificate, positive for statement of recovery)
Only in case of a certificate of vaccination:
- Date(s) of administration
- Unique vaccination code
- Pathogen against which the vaccine works
- Type of vaccine
- Name of vaccine
- Marketing authorisation holder or manufacturer of the vaccine
- Sequence number in series of vaccinations/doses
Personal data stored in the QR code you show to controllers:
The QR code for the coronavirus pass is regenerated every 90 seconds and contains:
- Starting date and time of validity coronavirus pass
- Period of validity of the coronavirus pass
- First letter of first name, first letter of last name
- Month and day of birth
- Indication whether the code has been issued digitally or as a physical proof
Personal data included in the EU DCC (QR code) regardless of the type (test, vaccination or recovery certificate):
- Name: family name(s) and first name(s) and possibly suffix
- Date of birth
- Target disease or pathogen (for example: SARS-CoV-2 and/or variants thereof)
- Unique certificate identification code
- Member state where test/vaccination has been carried out or proof of recovery has been obtained
- Issuer of the EU DCC, which is VWS for the Netherlands
The QR-code for the EU DCC as test certificate contains, in addition to general data:
- Registered date and time of test administration
- Type of test
- Name of test (optional for NAAT (PCR) test)
- Name of test producer (optional for NAAT (PCR) test)
- Test result
- Test center or facility (optional for rapid antigen test)
The QR code for the EU DCC as proof of vaccination in addition to the general data:
- Vaccine/prophylaxis (type of vaccine, e.g. mRNA vaccine or antigenic vaccine)
- Vaccine name
- Marketing authorisation holder or vaccine producer
- Sequence number in a series of vaccinations/doses
- Date of vaccination, including date of last dose received
The QR code for the EU DCC as repair evidence contains, in addition to the general data, the following data:
- Date from which date the certificate is valid
- Date until which certificate is valid
Personal data processed when read by the CoronaCheck Scanner
Depending on the type of proof (EU DCC or coronavirus pass) different personal data will be processed in the CoronaCheck Scanner. In case of the EU DCC, these will be all the data in the QR code of the EU DCC (explainer earlier). In case of the coronavirus pass, it was decided to include less data in the QR code:
- Start date and time of validity of coronavirus pass
- Period of validity of coronavirus pass
- First letter of first name, first letter of last name
- Month and day of birth
For all types of evidence, the CoronaCheck Scanner shows the following data to the controller of a domestic activity or event:
- Indication: ‘Person holds valid certificate (green screen) or ‘Person does not hold valid certificate (red screen).
- A set of identifying data: the first letter of the first name, first letter of the last name, day and month of birth of the person involved. Based on this information, combined with the presentation of the individual’s ID card, the controller can check whether the EU DCC or coronavirus pass actually belongs to the individual. This set may be smaller if the verifiability can be achieved with less data, as indicated earlier.
The mentioned data will disappear from the screen with the next scan or else after 240 seconds at the latest.