Privacy Statement COVID Certificates

Privacy statement: CovidSafe App - COVID certificates

Privacy statement on data processing and data protection with regard to the COVID certificates

v.3.0 – 4 October 2021

This privacy statement contains all the information related to the processing of your personal data with regard to the COVID certificates (the EU Digital COVID Certificate as well as the COVID Safe Ticket). More specifically, it clarifies how your data are collected, processed and used. This document is divided into four sections:

General: this section explains a number of key concepts and clarifies what your rights are with regard to the processing of personal data and how you can exercise these rights;
Vaccination certificate: this section provides information on the processing of personal data with regard to the EU Digital COVID vaccination certificate;
Test and recovery certificates: this section provides information on the processing of personal data with regard to the EU Digital COVID test and recovery certificates.
Safe Ticket: this section provides information on the processing of personal data with regard to the COVID Safe Ticket.

General

What is processing of personal data? Concepts

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

What are your rights with regard to the processing of personal data?

You can consult your processed personal data at any time and, if necessary, have them rectified. Under certain circumstances you also have the right to ask the controller to restrict the processing of your personal data.

If you have any questions about the processing of your personal data or if you wish to exercise any of the above rights, you can contact the data protection officer of the controller, whose contact details are mentioned below, along with the details of the controller. A copy of both sides of your identity card must always be enclosed with your request so that you can be identified.

You can also contact the data protection officer if you do not agree with how your data are processed. In addition, you can always file a complaint with the Data Protection Authority.

Vaccination certificate

Controllers

The EU Digital COVID vaccination certificate is issued by the following controllers under their respective authority:

Vlaams Agentschap Zorg en Gezondheid, registered with the Crossroads Bank for Enterprises under the number 0316.380.841, with offices at Avenue Roi Albert II 35/33, 1030 Brussels; contact details of the data protection officer: veiligheidsconsulent.zg@vlaanderen.be or by letter to the above address.
L'Agence Wallonne pour une Vie de Qualité, registered with the Crossroads Bank for Enterprises under the number 0646.877.855, with offices at Rue de la Rivelaine 21, 6061 Charleroi; contact details of the data protection officer: dpo@aviq.be or by letter to the above address.
L'Office de la Naissance et de l'Enfance, registered with the Crossroads Bank for Enterprises under the number 0231.907.895, with registered office at Chaussée de Charleroi 95, 1060 Saint-Gilles; contact details of the data protection officer: dpo@one.be or by letter to the above address.
Commission communautaire commune, registered with the Crossroads Bank for Enterprises under the number 0240.682.833, with offices at rue Belliard 71/1, 1040 Brussels; contact details of the data protection officer: dataprotection@ccc.brussels or by letter to the above address.
Commission communautaire française, registered with the Crossroads Bank for Enterprises under the number 0240.682.437, with offices at rue des Palais 42, 1030 Brussels; contact details of the data protection officer: dpo@spfb.brussels or by letter to the above address.
Ministerium der Deutschsprachigen Gemeinschaft, registered with the Crossroads Bank for Enterprises under the number 0332.582.613, with offices at Gospertstrasse 1, 4700 Eupen; contact details of the data protection officer: datenschutz@dgov.be or by letter to the above address.

Purpose and legal basis of the processing

The processing is carried out on the basis of Article 6(1)(c) of the GDPR:

processing is necessary for compliance with a legal obligation to which the controller is subject.

In accordance with Article 3(1) of the EU Digital COVID Certificate Regulation, the purpose of the processing of personal data is the creation, issuance and verification of the EU Digital COVID Certificate for the purpose of accessing and verifying the information included in the certificate in order to facilitate the exercise of the right of free movement within the Union during the COVID-19 pandemic.

Data overview

The following categories of personal data are processed:

the identity of the holder;
information about the COVID-19 vaccine and the number of doses administered to the holder;
certificate metadata, such as the certificate issuer or a unique certificate identifier;
the National Register number; and
the main residence.

Where do these personal data originate from?

The main residence is obtained from the National Register. The National Register number, the identity of the holder and the information about the COVID-19 vaccine and the number of doses administered to the holder are obtained from Vaccinnet, a database which keeps track of the administered COVID-19 vaccinations, among other things, and which is jointly managed by the different controllers. More information about Vaccinnet is available on the Vaccinnet website. In accordance with Vaccinnet's privacy policy, it is not possible to have your data deleted from this database.

Transfer

In principle, EU Digital COVID vaccination certificates are only intended to be issued to citizens and are therefore not automatically transferred to third parties by the controller. Your certificates will however be available through various digital services or digital patient portals. On your request, the certificates will also be transferred through eBox or the CovidSafeBe application.

On behalf of the different controllers, the data will be processed by the internal autonomous agency without legal personality Digitaal Vlaanderen, registered with the Crossroads Bank for Enterprises under the number 0316.380.841, with administrative headquarters at Avenue du Port 88, 1000 Brussels (privacy.digitaal@vlaanderen.be).

Storage period

The personal data linked to the EU Digital COVID vaccination certificate will be kept for as long as the certificate can be used to exercise your right of free movement or to create a COVID Safe Ticket. Your Social Security Identification Number and certificate metadata are stored in a log database for three years, for reasons of system security, error detection and in the event of disputes.

This storage period is independent of the storage period of your data in Vaccinnet (see: Where do these personal data originate from?).

Test and recovery certificate

Controller

The EU COVID-19 test and recovery certificates are issued by Sciensano, registered with the Crossroads Bank for Enterprises under the number 0693.876.830, with registered office at rue Juliette Wytsman 14, 1050 Brussels.

Contact details of the data protection officer: dpo@sciensano.be or by letter to the above address.

Purpose and legal basis of the processing

The processing is carried out on the basis of Article 6(1)(c) of the GDPR:

processing is necessary for compliance with a legal obligation to which the controller is subject.

Data overview

EU Digital COVID test certificate

The following categories of personal data are processed:

the identity of the holder;
information about the NAAT test or rapid antigen test to which the holder was subject;
certificate metadata, such as the certificate issuer or a unique certificate identifier;
the National Register number; and
the main residence.

EU Digital COVID certificate of recovery

the identity of the holder;
information about past SARS-CoV-2 infection of the holder following a positive test result in the last 180 days;
certificate metadata, such as the certificate issuer or a unique certificate identifier;
the National Register number; and
the main residence.

Where do these personal data originate from?

The data originate from a database of COVID-19 test results which is managed by Sciensano under the Cooperation Agreement of 25 August 2020 between the Federal State, the Flemish Community, the Walloon Region, the German-speaking Community and the Joint Community Commission, concerning the joint processing of data by Sciensano and the contact centres, health inspection services and mobile teams designated by the competent federated entities or by the competent agencies within the framework of contact tracing of persons (presumed to be) infected with the coronavirus COVID-19 on the basis of a database at Sciensano. More information on this database.

The database is populated with medically validated test results from labs, doctors and hospitals. If you suspect that your test results are incorrect, please contact the health care provider who sent the test result to Sciensano. If necessary, this health care provider can notify Sciensano of a correction.

The National Register can also be consulted.

Transfer

In principle, test and recovery certificates are only intended to be issued to citizens and are therefore not automatically transferred to third parties by the controller. Your certificates will however be available through various digital services or digital patient portals. On your request, the certificates will also be transferred through eBox or the CovidSafeBe application.

On behalf of the controller, the data will be processed by the internal autonomous agency without legal personality Digitaal Vlaanderen, registered with the Crossroads Bank for Enterprises under the number 0316.380.841, with administrative headquarters at Avenue du Port 88, 1000 Brussels.

Storage period

The personal data linked to the EU Digital COVID test or recovery certificate will be kept for as long as the certificate can be used to exercise your right of free movement or to create a COVID Safe Ticket. Your Social Security Identification Number and certificate metadata are stored in a log database for three years, for reasons of system security, error detection and in the event of disputes.

The validity period of a certificate of recovery shall not exceed 180 days.

This storage period is independent of the storage period of your data in the Sciensano database (see: Where do these personal data originate from?).

COVID Safe Ticket

The COVID Safe Ticket is the result of the analysis of the EU Digital COVID Certificate by means of the CovidScan application in order to control access to a pilot project or a mass event in the context of the COVID-19 pandemic.

The CovidScan application is the application that allows to validate the authenticity and validity of vaccination, test and/or recovery certificates and to read and, if necessary, generate the COVID Safe Ticket, by scanning the barcode of the EU Digital COVID Certificate.

Controller

The COVID Safe Ticket is issued by the following controllers under their respective authority:

Vlaams Agentschap Zorg en Gezondheid, registered with the Crossroads Bank for Enterprises under the number 0316.380.841, with offices at Avenue Roi Albert II 35/33, 1030 Brussels; contact details of the data protection officer: veiligheidsconsulent.zg@vlaanderen.be or by letter to the above address.
L'Agence Wallonne pour une Vie de Qualité, registered with the Crossroads Bank for Enterprises under the number 0646.877.855, with offices at Rue de la Rivelaine 21, 6061 Charleroi; contact details of the data protection officer: dpo@aviq.be or by letter to the above address.
L'Office de la Naissance et de l'Enfance, registered with the Crossroads Bank for Enterprises under the number 0231.907.895, with registered office at Chaussée de Charleroi 95, 1060 Saint-Gilles; contact details of the data protection officer: dpo@one.be or by letter to the above address.
Commission communautaire commune, registered with the Crossroads Bank for Enterprises under the number 0240.682.833, with offices at rue Belliard 71/1, 1040 Brussels; contact details of the data protection officer: dataprotection@ccc.brussels or by letter to the above address.
Commission communautaire française, registered with the Crossroads Bank for Enterprises under the number 0240.682.437, with offices at rue des Palais 42, 1030 Brussels; contact details of the data protection officer: dpo@spfb.brussels or by letter to the above address.
Ministerium der Deutschsprachigen Gemeinschaft, registered with the Crossroads Bank for Enterprises under the number 0332.582.613, with offices at Gospertstrasse 1, 4700 Eupen; contact details of the data protection officer: datenschutz@dgov.be or by letter to the above address.
Sciensano, registered with the Crossroads Bank for Enterprises under the number 0693.876.830, with registered office at rue Juliette Wytsman 14, 1050 Brussels; contact details of the data protection officer: dpo@sciensano.be or by letter to the above address.

Purpose and legal basis of the processing

The processing is carried out on the basis of Article 6(1)(c) of the GDPR:

processing is necessary for compliance with a legal obligation to which the controller is subject.

The legal obligation referred to is contained in the Cooperation Agreement of 14 July 2021 between the Federal state, the Flemish Community, the French Community, the German-speaking Community, the Joint Community Commission, the Walloon Region and the French Community Commission on the processing of data relating to the EU Digital COVID Certificate, the COVID Safe Ticket, the PLF and the processing of personal data of employees and self-employed persons residing or staying abroad and carrying out activities in Belgium. This Cooperation Agreement was modified by the Cooperation Agreement of 27 September 2021 modifying the Cooperation Agreement of 14 July 2021 between the Federal state, the Flemish Community, the French Community, the German-speaking Community, the Joint Community Commission, the Walloon Region and the French Community Commission on the processing of data relating to the EU Digital COVID Certificate, the COVID Safe Ticket, the PLF and the processing of personal data of employees and self-employed persons residing or staying abroad and carrying out activities in Belgium.

With regard to visitors of:

mass events, testing or pilot projects, dance halls and discotheques and
specific events, places or facilities;

the purpose of the processing of personal data from the EU Digital COVID Certificate is to read and, where applicable, to generate the COVID Safe Ticket by means of the CST module (= the execution mode of the CovidScan application to generate the COVID Safe Ticket) of the CovidScan application, in order to check and verify the following:

whether the holder of the EU Digital COVID Certificate fulfils the conditions to gain access;
the identity of the holder of an EU Digital COVID Certificate by means of a proof of identity.

Data overview

The categories of personal data processed for generating the COVID Safe Ticket are those of the EU Digital COVID Certificate.

The COVID Safe Ticket contains and displays only the following data:

the indication whether the holder, in his capacity as visitor of a mass event, a testing or pilot project, an event, a place or a facility, may be allowed or must be refused access;
identity details of the holder, namely his or her surname and first name;
the validity period of the COVID Safe Ticket.

Transfer

In order to verify that the holder of a vaccination certificate fulfils the conditions to gain access to an event, a place or a facility, the central platform where vaccination certificates and test and recovery certificates are managed, establishes a list of vaccination certificates that temporarily cannot be used to generate a COVID Safe Ticket because the holders of these vaccination certificates recently tested positive for COVID-19. This list contains only the unique certificate identifiers of the suspended vaccination certificates and is updated every hour.

The above-mentioned list of unique certificate identifiers of vaccination certificates that temporarily cannot be used to generate a COVID Safe Ticket is retrieved through the CovidScan application and is stored locally.

For the purposes described above, the EU Digital COVID Certificate or the COVID Safe Ticket generated by its holder may only be read by means of the CST module of the CovidScan application by the following persons:

the persons who perform access control for mass events;
the persons who perform access control for testing or pilot projects;
the persons who perform access control for dance halls or discotheques;
the persons who perform access control for conferences or trade fairs and the persons who perform access control for cultural, celebration or recreational venues;
if there are no persons as referred to in 4°, the manager or management of places and facilities where the COVID Safe Ticket can be used, as well as their staff, insofar as they are deployed in a restrictive manner and entrusted with Covid Safe Ticket verification;
the staff of a private security company or an in-house security service as referred to in the Law of 2 October 2017 regulating private and special security.

It is explicitly forbidden for these persons to read the EU Digital COVID Certificate or the COVID Safe Ticket generated by the holder or, where applicable, to generate it, with any application or module other than the CST module of the CovidScan application.

Storage period

COVID Safe Ticket data may only be read out up to and including 31 October 2022.