CJEU - C-659/22 - Ministerstvo zdravotnictví (Application mobile Covid-19)
| CJEU - C-659/22 Ministerstvo zdravotnictví (Application mobile Covid-19) | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4(2) GDPR |
| Decided: | 05.10.2023 |
| Parties: | |
| Case Number/Name: | C-659/22 Ministerstvo zdravotnictví (Application mobile Covid-19) |
| European Case Law Identifier: | ECLI:EU:C:2023:745 |
| Reference from: | Nejvyšší správní soud (Supreme Administrative Court - Czech Republic) |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | mg |
The CJEU held that scanning COVID certificates by means of a governmental app constitutes ‘processing’ of personal data pursuant to Article 4(2) GDPR.
English Summary
Facts
During the COVID-19 pandemic, the Czech Ministry of Health made access to premises and events dependent on certain conditions, such as vaccination or a negative test. The operators of several commercial activities were required to check the fulfilment of these conditions with regard to their clients by means of a specific app developed by the government. Operators were requested to scan the COVID certificate of clients and verify with the app that the certificate was valid.
An action for annulment against the decree setting these rules was brought before an administrative court.
The court referred some preliminary questions to the CJEU. In particular, the court aimed to know whether the conversion of personal data from a machine-readable form (the QR code on the COVID certificate) to a human-readable one (the information displayed on the app) could be considered processing of personal data pursuant to Article 4(2) GDPR.
Holding
The CJEU stressed in the first place that the concept of ‘processing’ pursuant to Article 4(2) GDPR has a very broad meaning, which is necessary to guarantee the effectiveness of the right to data protection. The verification process in the case at issue fell within such a broad scope, as it requires the use of personal data.
In addition, the CJEU noted how Regulation 2021/953 – as the piece of legislation establishing common rules about the ‘EU Digital COVID Certificate’ – explicitly provides a legal basis of the verification process under Articles 6(1)(c) and 9(2)(g) GDPR.
Therefore. the scanning of COVID certificates by means of an app constitutes ‘processing’ of personal data pursuant to Article 4(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
