CJEU - C-659/22 - Ministerstvo zdravotnictví (COVID19 mobile application)

From GDPRhub
CJEU - C-659/22 Ministerstvo zdravotnictví (COVID19 mobile application)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(2) GDPR
Decided: 05.10.2023
Parties:
Case Number/Name: C-659/22 Ministerstvo zdravotnictví (COVID19 mobile application)
European Case Law Identifier: ECLI:EU:C:2023:745
Reference from: Nejvyšší správní soud (Supreme Administrative Court - Czech Republic)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: mg


The CJEU held that scanning COVID certificates by means of a governmental app constitutes ‘processing’ of personal data pursuant to Article 4(2) GDPR.

English Summary

Facts

During the COVID-19 pandemic, the Czech Ministry of Health made access to premises and events dependent on certain conditions, such as vaccination or a negative test. The operators of several commercial activities were required to check the fulfilment of these conditions with regard to their clients by means of a specific app developed by the government. Operators were requested to scan the COVID certificate of clients and verify with the app that the certificate was valid.

An action for annulment against the decree setting these rules was brought before an administrative court.

The court referred some preliminary questions to the CJEU. In particular, the court aimed to know whether the conversion of personal data from a machine-readable form (the QR code on the COVID certificate) to a human-readable one (the information displayed on the app) could be considered processing of personal data pursuant to Article 4(2) GDPR.

Holding

The CJEU stressed in the first place that the concept of ‘processing’ pursuant to Article 4(2) GDPR has a very broad meaning, which is necessary to guarantee the effectiveness of the right to data protection. The verification process in the case at issue fell within such a broad scope, as it requires the use of personal data.

In addition, the CJEU noted how Regulation 2021/953 – as the piece of legislation establishing common rules about the ‘EU Digital COVID Certificate’ – explicitly provides a legal basis of the verification process under Articles 6(1)(c) and 9(2)(g) GDPR.

Therefore. the scanning of COVID certificates by means of an app constitutes ‘processing’ of personal data pursuant to Article 4(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!