News

Start of main content

Moncloa's 'covid passport' does not guarantee the avoidance of contagion and raises legal doubts

| News | Privacy, IT & Digital Business

María Zarzalejos analyzes the proposed implementation of a European vaccination certificate and explains the requirements to comply with the Data Protection Law.

The government has on multiple occasions expressed its support for the introduction of a 'covid passport', a certificate to facilitate international travel for people who have already been vaccinated. Prime Minister Pedro Sánchez last did so on Thursday: "The cross-border movement of people is essential for the continuity of businesses and other key activities and therefore finding ways to promote safe international travel must remain our priority.

María Zarzalejos, partner in Andersen's Privacy, IT & Digital Business practice, explains that four requirements are necessary: Choose a legal basis. Perhaps it would fit in Article 6.1. e) of the GDPR: "The processing - of data - is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller". And Article 6(3) of the GDPR continues in this respect: 'The purpose of the processing must be specified in that legal basis or, as regards the processing referred to in paragraph 1(e), necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions for adapting the application of rules of this Regulation," it states.

It also states that what is meant by "public interest purpose" should be laid down in EU law or in the law of the participating Member States. Secondly, safeguards and security measures should be put in place to ensure security and privacy of these sensitive data. Also, retention and deletion periods should be indicated, and finally, authorised access should be limited (e.g., at airports for travel in Europe). The processing or consultation of these data cannot be extended or generalised to all businesses or services such as bars, discotheques, etc.

On balance, Zarzalejos concludes that it could be implemented, but the development will not be easy, especially if all EU countries must coordinate the management of their citizens.

The full article can be read in Vozpópuli

End of main content