Information on the processing of personal data in the context of the mobile application Tečka (EU Digital COVID Certificate Wallet app)
In this document you will find information on the processing of personal data in the mobile application Tečka, the EU Digital COVID Certificate issued by the Ministry of Health of the Czech Republic. You will find out what personal data are processed and according to which law.
What is the Digital COVID Certificate and how to get it?
The Digital COVID Certificate is a certificate that proves a person has been vaccinated, that he or she is has recovered from COVID-19 or has a negative result from the AG or the PCR test.The purpose of the Certificate is to facilitate the right of free movement during the COVID-19 pandemic within the EU and in national counter-epidemic measures, where confirmation of one of the above situations is required (for example, when visiting service establishments and social events).
The digital COVID certificate is based on an EU standard and allows the international use of certificates. The QR code, which contains electronically readable information, is the basis for the Digital COVID Certificate. At the same time, the QR code contains the electronic signature of the issuing country, which makes it possible to verify the authenticity of the certificate.
The certificate is issued by each EU Member State or by organisations authorised by them. In the Czech Republic, a certificate can be obtained from the vaccination portal https://ocko.uzis.cz, at the places of vaccination, the collection sites of AG tests, laboratories processing PCR tests or from a general practitioner.
What is the purpose of the Tečka application?
The application is operated in accordance with EU and Czech law and facilitates the free movement of persons and access to services and events during the COVID-19 pandemic.
The application allows download and storage of certificates from ocko.uzis.cz and presenting the certificates to cross borders, access services or events.
- Login via NIA – first time only, afterwards login via fingerprint, face recognition or PIN
- Alternative login via one-time SMS (same as ocko.uzis.cz) – first time only, afterwards login via fingerprint, face recognition or PIN
- Support for multiple certificate holders on one mobile
- Load current certificates from ocko.uzic.cz,
- Load certificate from paper or displayer QR code
- Conversion of original vaccination certificate format to EU format
- Display of certificates with validity evaluation according to validation rules. Happens offline.
- Display of summary and detailed information from the certificate
- Download of configuration – signature keys (EU member states) and validation rules (only CZ) from the UZIS servers. Happens online once every 24 hours.
Personal data of certificate holders are processed with the purpose to be checked by persons authorised by EU regulations, exceptional measures of the Ministry of Health of the Czech Republic or on a voluntary basis.
What data are contained in the Digital COVID Certificate?
The Digital COVID Certificate contains only the basic identification information of the holder – first name, surname, date of birth – does not contain the document numbers, insurance numbers or other identifiers.
The certificate contains detailed information on the vaccination carried out or test carried out – date, place of vaccination or test, type and manufacturer of vaccine or test, number and dates of application of vaccine doses, result of the test. The recovery certificate contains the date of the first positive PCR test.
The certificate also contains the name of the issuing organisation and the EU Member State, the date of issue and the unique identifier of the certificate.
The EU Digital COVID Certificate is designed as a set of factual information, that can be assessed by the verifying party on the basis of the rules of the respective country. It is therefore neither an anonymous certificate nor a „simple YES/NO“ certificate.
Who and how is it using the Digital COVID Certificate?
The main actors in the process of creating and using the Digital COVID Certificate are:
- Issuer of the certificate, Ministry of Health of the Czech Republic. It manages information systems for the testing and vaccination against COVID-19, where the source information for certificates is collected. The certificate shall be transmitted in a trustworthy manner to the relevant holder.
- The holder of the certificate, the person to whom it refers and whose personal and health information it contains. Once the certificate has been obtained, the holder shall make further use of the certificate and the personal data it contains, including the presentation of a certificate to veryfying persons, fully in the hands of the certificate holder.
- The verifier of the certificate is a person who is authorised under EU regulations, exceptional measures by the Ministry of State of the Czech Republic or on a voluntary basis to check and verify the validity of the certificate of other persons.
The issuer of the Digital COVID Certificate may also be another EU Member State and the holder may be the person tested or vaccinated in another EU Member State.
The Tečka application is publicly provided by the Ministry of Health as an auxiliary tool for holders of the certificates.
The relationship between the certificate holder and the certification verifier is determined by an EU regulation, exceptional measures by the Ministry of State of the Czech Republic or on the basis of voluntary cooperation. Typically, the holder of the certificate wishes to use certain services, visit an event or cross the border, making use of the exception provided in the EU Regulation or the exceptional measures of the Ministry of Health of the Czech Republic. On the basis of his decision, the holder present his certificate, including personal and health data contained therein, to the verifier. The verifier assesses whether the certificate holder complies with the conditions of the relevant measures.
Issuing of Digital COVID Certificates
The sources of personal data in Digital COVID Certificates are the information systems of the Ministry of Health and the ÚZIS, intended for the management of the COVID-19 testing (eŽádanka) and the vaccination against COVID-19 (ISIN module OČKO).The persons tested or vaccinated provide personal data for processing in these systems.
The controller of personal data in Digital COVID Certificate is the Ministry of Health of the Czech Republic, Palackého, 4, P.O.BOX 81, 128 01 Prague 2, VAT number 00024341. He/she shall do so in the performance of the tasks assigned to him by law or, where provided for by law, or if necessary in order to exercise the rights and obligations of the Ministry under the law.
Personal data are processed within the infrastructure of the Czech Ministry of Health, which is operated by a processor of the Institute for Health Information and Statistics of the Czech Republic (hereinafter referred to as the ÚZIS). In addition to the ÚZIS, the National Agency for Communication and Information Technology (hereinafter referred to as NAKIT) is the integrator of selected systems.
The ÚZIS is the operator of the integrated information system of the hygienic service, IISHS, of which ISIN is a part. These IT systems are operated in an infrastructure environment for health registers, the core component of which is part of the state’s critical infrastructure under Act No 181/2014 on cyber security and amending the related acts (Cybersecurity Act, hereinafter referred to as “the ZoKB”). The environment of health registers allows for standardised and easy development of new components of registers, in line with the requirements of the ZoKB and the protection of personal data. The OČKO module has been designed as a logical extension of the module of the Information System for Infectious diseases (ISIN) and the central data repository. The module was created to make the results and vaccination information available to general practitioners, hygiene stations and for statistical data processing to the Ministry of Health.
In any case, only a few authorised and authorised persons bound by an obligation of confidentiality have access to the data, and all access to and operations involving such data are secured and recorded. We only make them available to other persons if we are obliged to do so on the basis of legislation. In order to comply with our legal obligations referred to above, your data are also processed by external IT service providers (Internet connection, servicing of information and communication technology, etc.) who are bound by a duty of confidentiality and must offer maximum guarantees of technical and organisational security for the protection of personal data.
We process personal data in the certificates in a transparent, fair and lawful manner, in particular:
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation);
- Regulation (EU) 2021/0068 of the European Parliament and of the Council on the framework for the issuance, verification and recognition of interoperable vaccination, testing and recovery certificates in order to facilitate free movement during the COVID-19 pandemic (EU Digital COVID Certificate);
- law No 110/2019Sb., on the processing of personal data; and
- act No 258/2000 on the protection of public health and amending certain related acts and related legislation – parliamentary press 1225/0.
To whom and how are the Digital COVID Certificates transferred by the Ministry of Health?
The Digital COVID Certificate shall be transmitted by the Ministry of Health only to persons on whom information is included in the certificates, in one of the following ways:
- Vaccination Portal https://ocko.uzis.cz after authentication via the NIA or a one time SMS password
- download to a mobile application Tečka after authentication via NIA or a one time SMS password (future option)
- by e-mail
- personally at the vaccination site, collection point of the AG tests or in the PCR testing laboratory
- personally by a general practitioner
This way the person, who is the object of the certificate, becomes a holder of the certificate and the further handling of the certificate is fully in his/her hands.
How does the Tečka application work with data from the Digital COVID Certificate?
Aplikace udržuje pouze nejnovější verzi každého typu certifikátu, ukládá je v šifrovaném úložišti a přístup k nim chrání rozpoznáváním obličeje, otiskem prstu nebo PINem. Aplikace nikam neodesílá osobní ani zdravotní údaje kontrolovaných osob, pouze je dočasně zobrazuje na obrazovce mobilního telefonu pro účely kontroly na základě volby uživatele.
Při odinstalaci aplikace jsou všechna její data vymazána.
The application reads QR codes of certificates either from ocko.uzis.cz (it is possible to login multiple certificate holders on one mobile) or by means of a mobile phone camera, and stores in the memory of the mobile phone.
The application displays a list of holders of stored certificates, a list of newest versions of each type of certificate (vaccination, recovery, test AG, test PCR) for each certificate holder. Each certificate can be displayed in a form of QR code (for verification) together with the basic identification data of the holder of the certificate and the status valid/invalid – and, on request, the complete set of information contained in the certificate.
The application stores only the newest version of each type of certificate for each holder. The certificates are stored in encrypted storage and access to them is protected via fingerprint, face recognition or PIN. The application does not send out any personal or health data of the certificate holders, but only temporarily displays them on the screen of a mobile phone for the purpose of verification.
When the application is uninstalled, it deletes all personal data.
What other data are processed by the Tečka application?
In addition to the data contained in Digital COVID Certificates, the Tečka application works with public information related to the certificate system – the list of signature keys of EU Member States and the definition of validation rules of each EU Member State.
In order to ensure the functionality of the application, it also works with data on its functioning (e.g. logs of application and use of the application) and uses standard tools (Firebase Crashlytics and Google Analytics) from Google. The data sent by applications to these services do not contain the identifiers of the owner of the mobile phone or mobile phone (such as the phone number, IMEI, AdvertisingID) and are processed solely for the purpose of identifying and correcting critical mistakes, recording updates of the application and statistical mapping of the application by the user. The application does not know the user’s personal data and this telemetric data cannot be linked in any way to a specific person. We are working with the data thus obtained for a maximum period of 180 days.
What permissions does the Tečka application require from the operating system of your mobile?
Camera access – used solely for the purpose of scanning QR codes, on user request.
What are the rights of the certificate holders when processing personal data in the Tečka application?
The application processes personal data of certificate holders, who has been authenticated on given mobile or who has provided the QR code of the certificate for scanning to the user of given mobile. Relationship and the handover of QR codes or authentication information between the certificate holders and the user of given mobile are out of control of Ministry of Health and is presumed to be on fully voluntary basis (e.g. family members).
The right to withdraw consent, the right of access, the right to rectification, the right to erasure and the right to restrict processing is implemented by uninstalling the application. When the application is uninstalled, it deletes all personal data.
The right to lodge a complaint. You can exercise this right in particular if you consider that your personal data is being processed unlawfully or in breach of applicable law.
How can you exercise your individual rights, who will supervise the processing of your personal data and to whom you may refer in case of doubt about the processing of your personal data?
In all matters relating to the processing of your personal data, whether in relation to enquiries, exercise of the right to lodge a complaint or any other matter, you may contact Data Protection Officer of the Ministry of Health via e-mail address firstname.lastname@example.org or by writing to the Data Protection Officer, Ministry of Health of the Czech Republic, Palackého 4, P.O.BOX 81, 128 01 Prague 2.
You can lodge a complaint against the processing of your personal data with the Office for the Protection of Personal Data, which is located at Pplk.Sochora 27, 170 00 Prague 7.