12 April 2021

The Office for Personal Data Protection (‘UOOU’) published, on 9 April 2021, its opinion on the potential use of digital green certificates, the so-called COVID-19 vaccination passports, following the joint opinion of the European Data Protection Board (‘EDPB’) and European Data Protection Supervisor (‘EDPS’). In particular, the opinion highlighted that it is imperative that the legal obligation for provision of digital green certificates must be balanced with technical and organizational security guarantees and an alternative method needs to be provided to ensure that individuals who do not wish to be tested, are not denied entry to facilities in the Czech Republic. In addition, the opinion stated that requesting copies of digital green certificates or ID cards are contrary to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and a legitimate purpose for such provision would be where evidence is needed on suspicion of a criminal offence.

Furthermore, the opinion provided that the legal basis for the register of vaccines (OČKO vaccination module) is found in Section 79(2) of the Public Health Protection Act which allows the processing of health data by public health authorities. However, the opinion noted that this law does not provide for a retention period and that, given the expected number registered within this module, this would result in a high-risk of data processing which would require conducting a data protection impact assessment (‘DPIA’), among others.

You can read the opinion, only available in Czech, here.