The creation of digital green certificates to facilitate the return to free movement in the EU should not lead to the creation of a huge new database of personal information, nor to “direct or indirect” discrimination against individuals, especially those who are not vaccinated, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) ruled in a joint opinion on Tuesday 6 April.
The EDPB and the EDPS call on the co-legislators to ensure that the digital green certificate is fully compliant with the General Data Protection Regulation, says a statement, and that it “respects the general principles of effectiveness, necessity and proportionality”.
“It should be clear that the proposal does not allow - and should not lead to - the creation of all kinds of central databases of personal data at EU level. In addition, it must be ensured that personal data is not processed for longer than strictly necessary and that access to and use of such data will not be allowed once the pandemic is over”, said Supervisor Wojciech Wiewiórowski.
The proposal should “expressly provide that access to and further use of individuals’ data by EU Member States after the pandemic is over is not allowed”, and the application of the certificate regulation should be strictly limited to the current crisis. This is also provided for in the Commission’s proposal, which insists on the temporary nature of these documents.
The certificates, which will cover three situations (vaccinated individuals, individuals who have recently tested negative and individuals who have recovered from Covid-19), will also have to be accessible in paper format and not only in digital format to promote “inclusion for all”, the EDPB and the EDPS say.
They also request that a list of all entities deemed to act as controllers of data recipients in the Member State of destination (other than the authorities responsible for issuing certificates) be made public.
The two organisations still consider that the Commission has not sufficiently justified the type of data to be included in these certificates (name, date of birth, name of the test and test manufacturer, authority issuing the certificate, date and time of the tests and results, etc.) They want to know if all this data is necessary.
The regulation is currently under discussion in the EU Council. The Portuguese Presidency of the Council would like to reach an agreement by 14 April.
Link to the joint opinion: https://bit.ly/3mpnej5 (Original version in French by Solenn Paulic)