FDPIC takes on advisory role in the FOPH project for a data protection compliant COVID-19 vaccination certificate
13.04.2021 - The FDPIC is advising the COVID-19 certificate project group set up by the Federal Office of Public Health (FOPH) on compliance with data protection requirements. The FDPIC advice is essentially in line with that given by the European Data Protection Board and the European Data Protection Supervisor in connection with the EU’s draft regulation on a ‘digital green certificate’.
The FOPH has set up a project group with a view to introducing a standardised, forgery-proof, internationally recognised COVID-19 vaccination certificate. The FDPIC is participating in this project group as the statutory advisory body on data protection to ensure the compliant implementation of Article 6a of the COVID-19 Act, which sets out the requirements for vaccination, test and recovery certificates. The certificates must be personalised, forgery-proof, verifiable while complying with data protection requirements, and designed so that only decentralised or local verification of their authenticity and validity is possible. It should also be possible for the certificates to be used when entering or leaving other countries.
As part of its advisory role in the project, the FDPIC will also work to ensure that the future use of the certificates meets the requirements of data protection law – in particular if they are used in the private sector in order to systematically obtain vaccination data or other personal data with a view to allowing access to goods or services. The FDPIC takes the view that not only must public-law requirements be set out in the associated ordinances, but private individuals must also be required to guarantee compliance with the Data Protection Act. In particular, data processing by private individuals must be proportionate, reasonable and transparent. In addition, the FDPIC has already publicly stated on several occasions that the planned use of the certificates should not mean everyone is required to carry a smartphone (see our news briefing from 22.01.2021 (not in English)). For this reason, the FDPIC welcomes the decision to make the vaccination certificate available on paper as well as in digital form.
The FDPIC’s demands essentially correspond with the joint opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) of 31 March 2021 relating to the EU Commission’s draft regulation on a ‘digital green certificate’. In its joint opinion, the EDPB and the EDPS state that the digital green certificate must have an adequate statutory basis and in particular must respect the principles of effectiveness, necessity, reasonableness and non-discrimination. In line with the FDPIC’s demands, the joint opinion also states that the digital green certificate must be made available in paper form.