Information on vaccination and coronavirus infections under the magnifying glass of the Bavarian data protection authority

The Bavaria DPA has issued a statement on the verification of COVID-19 vaccination certificates and test results. The authority addresses not only legal issues, but also technical and organisational issues. Health data, which includes information on vaccination or infection, should be subject to special protection. Their controllers should therefore take appropriate measures taking into account the higher risk of a breach and its more severe consequences for citizens.

In accordance with regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic, the vaccination certificate contains information on the type of vaccine, the manufacturer, the number of vaccinations, the date of vaccination, in addition to data such as name, date of birth. Certificates for coronavirus testing, on the other hand, contain data on the type of test, its result, the date it was performed, the point or facility where it was performed.
The Authority draws the attention of controllers to the principle of minimisation of personal data (Article 5(1)(c) of the GDPR). Verification of certificates should not entail the creation of redundant registers containing information on test results or information on vaccination status. If the creation of such registers is necessary, controllers should consider limiting the information they collect – not all data contained in certificates, although complying with the scope indicated in regulation 2021/953, need to be relevant for a given controller and thus should not be processed by it. Reducing the scope of data processed minimises both the risk of a breach occurring and the nuisance of its consequences.