Data Privacy Declaration

The EU Digital Covid Certificate platform “EU DCC Portal”, hereinafter “the platform”, was created for the implementation of Regulation (EU) 2021/953. This Regulation provides for the mutual recognition of certificates issued by the EU Member states to citizens to facilitate their free movement, between Member States. Your personal data entered therein shall be processed in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679, hereinafter “the GDPR”, and the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Movement of such Data Law of 2018, L.125(Ι)/2018, hereinafter “the national Legislation”, both constitute “the legislative framework for the protection of personal data”.

Data Controller

Data controller of the data collected through the platform is the Ministry of Health. For questions regarding the processing of personal data and the exercise of the Regulation rights you may contact the Data Protection Officer of the Ministry of Health at the email address director@mphs.moh.gov.cy

Object and legal basis of the processing

The Ministry of Health collects and processes your personal data pursuant to the basic principles governing the Legislative framework on the protection of personal data, i.e. the principles of legality, purpose limitation, transparency, minimisation, accuracy, limitation of storage period, confidentiality, integrity and accountancy, for the following purposes:

The digital certificate has been designed based on the needs of the Member States to progressively lift the restrictive measures against the Covid-19 pandemic, since it will be used as a proof of vaccination, test result or recovery, safeguarding public health in response to the redispersion of Covid-19.

According to Regulation (EU) 2021/953, the legal basis of the processing of your personal data are Articles 6(2)(c) and 9(2)(g) of the GDPR.

In particular, after submitting your request and inserting your data (Identity Card No or ARC No or Passport No) and following successful completion of your identification by inserting the unique OTP code (OTP), which shall be sent to your mobile phone, the digital Covid certificate (Certificate Issuance) of your choice shall be issued.

The design and implementation of this platform is based on the provisions of Regulation (EU) 2021/953 and the recommendation of the European Network eHealth on the technical specifications of the solution.

Categories of data subjects

Citizens requesting a digital Covid certificate through the platform.

Categories of data to be included in the certificates and hosted in encrypted form on a local cloud computing of CYTA:
a) Vaccination Certificate:

  • name: surname(s) and forename(s);
  • date of birth;
  • disease or agent targeted: COVID-19 (SARS-CoV-2 or one of its variants);
  • COVID-19 vaccine or prophylaxis;
  • COVID-19 vaccine product name;
  • COVID-19 vaccine marketing authorisation holder or manufacturer;
  • number in a series of doses as well as the overall number of doses in the series;
  • date of vaccination, indicating the date of the latest dose received;
  • Member State or third country in which the vaccine was administered;
  • certificate issuer;
  • unique certificate identifier.
b) Certificate of Recovery:
  • name: surname(s) and forename(s);
  • date of birth;
  • disease or agent from which the holder has recovered: COVID-19 (SARS-CoV-2 or one of its variants);
  • date of the holder’s first positive NAAT test result;
  • Member State or third country in which test was carried out;
  • certificate issuer;
  • certificate valid from;
  • certificate valid until (not more than 180 days after the date of first positive NAAT test result);
  • unique certificate identifier.
c) Test certificate:
  • name: surname(s) and forename(s);
  • date of birth;
  • disease or agent targeted: COVID-19 (SARS-CoV-2 or one of its variants);
  • the type of test;
  • test name (optional for NAAT test);
  • test manufacturer (optional for NAAT test);
  • date and time of the test sample collection;
  • result of the test;
  • testing centre or facility (optional for rapid antigen test);
  • Member State or third country in which the test was carried out;
  • certificate issuer;
  • unique certificate identifier.

Confidentiality and Security of Personal Data

For the security of personal data technical and organisational measures are taken against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Personal data are kept in computer servers in a controlled, secure and protected environment. When the personal information is being uploaded to the platform, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol (SecureSocketLayer(SSL)). These personal data can only be accessed by specially authorised personnel of the controller and of the following processors, depending on their role and duties: - University of Cyprus: responsible for the development and operation of the integrated system for issuing the EU Digital Covid Certificate; - CYTA: responding for hosting the integrated system for issuing the EU Digital Covid Certificate on its cloud computing.

Data Recipients

The controller ensures that your data kept in an encrypted form shall not be disclosed to recipients unless permitted by the Legislative framework on the protection of personal data and according to national and European Union legislation.

Retention of Data

Personal data shall be retained in an encrypted form for the period of validity of Regulation (EU) 2021/953 on digital Covid certificates.

Exercise of the data subject’s rights

In accordance with the Legislative framework for the protection of personal data, you have the following rights, which you may exercise at any time within the period of validity of Regulation (EU) 2021/953:

Right of access (Article 15 of the Regulation): You may have access to your personal data and obtain complementary information concerning as well as a copy of these data.

Right to erasure (Article 17 of the Regulation): You have the right to request the erasure of your data under the conditions of Article 17 of the Regulation.

Right to restriction of processing (Article 18 of the Regulation): You have the right to request the restriction of processing of your data under the circumstances provided for by Article 18 of the Regulation.

You may exercise any of the above rights, as well as make any request by communicating with the Data Protection Officer of the Ministry of Health at the email address director@mphs.moh.gov.cy You also reserve the right to file a complaint to the competent supervising Authority, The Commissioner of the Protection of the Personal Data, if you discover that an unlawful processing of your personal data is taking place or your rights in respect of your personal data have been breached.

Data Privacy Declaration

“CovPass” application

The “CovPass” application hosting the digital Covid certificate,hereinafter “the application” was created for the implementation of Regulation (EU) 2021/953. This Regulation provides for the mutual recognition of certificates issued by the EU Member states to citizens to facilitate their free movement, between Member States. Your personal data entered therein shall be processed in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679, hereinafter “the GDPR”, and the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Movement of Such Data Law of 2018, L.125(Ι)/2018, hereinafter “the National Legislation”, both constitute “the legislative framework for the protection or personal data”.

Data Controller

The controller of the data inserted in the EU digital Covid Certificate which is kept in the Covpass wallet is the Ministry of Health. For questions regarding the processing of personal data and the exercise of your rights by virtue of the GDPR, you may contact the Data Protection Officer of the Ministry of Health via the email address director@mphs.moh.gov.cy.

Object and legal basis of the processing

The Ministry of Health collects, processes and keeps your personal data pursuant to the basic principles governing the Legislative framework on the protection of personal data, i.e., the principles of legality, purpose, limitation, transparency, minimisation, accuracy, limitation of storage period, confidentiality and integrity and accountancy, for the following purposes:

The application aims at facilitating the mutual recognition and use of certificates issued by the EU Member States to citizens who wish to travel within the EU, thus ensuring the coordinated lifting of restrictive measures and the safe and free cross-border movement.

In view of the use of CovPass application, the Ministry of Health, being the Data Controller, ensures that it respects the rights of the users of CovPass application, safeguarding that the data kept in the application and contained in the EU Digital Covid Certificate shall neither be processed nor used for any reason other than for verifying the authenticity and validity of the QR code of each certificate.

In particular, the digital certificate has been designed based on the needs of the Member States to progressively lift the restrictive measures against the Covid-19 pandemic, since it will be used as a proof of vaccination, test result or recovery, safeguarding public health in response to the redispersion of Covid-19.

The design and implementation of this platform is based on the provisions of Regulation (EU) 2021/953 and the recommendation of the European Network eHealth on the technical specifications of the solution.

Categories of data subjects

Citizens wishing to store their EU digital Covid Certificate to the Covpass wallet. The application for storing digital Covid-19 certificates is used for the secure transmission and storage of Covid-19 certificates in electronic format.

How to install and operate the CovPass application

  • The installation of the CovPass application on the mobile phone and its use are voluntary for users.
  • Once the CovPass application is installed, the camera must be activated for the electronic transmission of Covid-19 certificates either form paper or mobile devices to the app by means of scanning. The QR code can be scanned, imported and stored using the camera.
  • Once the QR code is scanned, the app user shall be requested to insert the TAN (transaction authentication number), which is produced during the issuance of the certificate, ensuring that each QR code shall be scanned and used only in one CovPass wallet. Each user shall be able to manage his/her own CovPass wallet, as he/she wishes so, by storing even the certificates of the family members.
  • After the saving of the scanned certificate on the CovPass application, a new TAN will be generated, if the user wishes to transfer his/her EU Digital Covid-19 Certificate on another device.

Use of the Camera

The user of the CovPass Application must give his/her permission for the use the camera. If the access to the camera is not granted the scanning of the QR code will not be possible to take place.

Data contained in the certificates issued and stored in the CovPass Wallet:

a) Vaccination Certificate:

  • name: surname(s) and forename(s);
  • date of birth;
  • disease or agent targeted: COVID-19 (SARS-CoV-2 or one of its variants);
  • COVID-19 vaccine or prophylaxis;
  • COVID-19 vaccine product name;
  • COVID-19 vaccine marketing authorisation holder or manufacturer;
  • number in a series of doses as well as the overall number of doses in the series;
  • date of vaccination, indicating the date of the latest dose received;
  • Member State or third country in which the vaccine was administered;
  • certificate issuer;
  • unique certificate identifier.
b) Certificate of Recovery:
  • name: surname(s) and forename(s);
  • date of birth;
  • disease or agent from which the holder has recovered: COVID-19 (SARS-CoV-2 or one of its variants);
  • date of the holder’s first positive NAAT test result;
  • Member State or third country in which test was carried out;
  • certificate issuer;
  • certificate valid from;
  • certificate valid until (not more than 180 days after the date of first positive NAAT test result);
  • unique certificate identifier.
c) Test certificate:
  • name: surname(s) and forename(s);
  • date of birth;
  • disease or agent targeted: COVID-19 (SARS-CoV-2 or one of its variants);
  • the type of test;
  • test name (optional for NAAT test);
  • test manufacturer (optional for NAAT test);
  • date and time of the test sample collection;
  • result of the test;
  • testing centre or facility (optional for rapid antigen test);
  • Member State or third country in which the test was carried out;
  • certificate issuer;
  • unique certificate identifier.

Data Recipients

The controller ensures that your data included in the digital Covid certificate shall not be disclosed to recipients unless permitted by the legislative framework on the protection of personal data and according to national and EU law.

During the check at the points of entry of an EU Member State, the authorised officers shall be able to proceed to the necessary verification of the authenticity, integrity and validity of the QR code, using special verifier devices. This ensures that during the verification process the data contained in the digital Covid certificate shall not be further processed or/and stored.

Users’ Responsibility

Users are obliged to store only their own personal EU digital Covid-19 certificates or the certificates of their close relatives given their consent.

Users are obliged to undertake all the necessary and required security precautions for their own devices in order to protect their own EU digital Covid-19 certificates against any unauthorised access by third parties and against malware.

Retention of Data

The digital Covid certificates shall be retained in the application for the period of validity of Regulation (EU) 2021/953 on EU digital Covid certificates. Therefore, the use of the CovPass Application may be terminated by the Republic of Cyprus at any time.

The digital Covid-19 certificates are stored on the user’s device as long as they are valid and are deleted when the user deletes the app from his device.

Exercise of the data subject’s rights

In accordance with the Legislative framework for the protection of personal data, you have the following rights, which you may exercise at any time within the period of validity of Regulation (EU) 2021/953:

Right of access (Article 15 of the Regulation): You may have access to your personal data and receive additional information about their processing, as well as a copy of these data.

Right to erasure (Article 17 of the Regulation): You have the right to request the erasure of your data under the conditions of Article 17 of the Regulation.

Right to restriction of processing (Article 18 of the Regulation): You have the right to request the restriction of processing of your data under the circumstances provided for by Article 18 of the Regulation.

You may exercise any of the above rights, as well as make any request by communicating with the Data Protection Officer of the Ministry of Health using the email address director@mphs.moh.gov.cy.

Moreover, you reserve the right to file a complaint to the competent supervising Authority, The Commissioner of the Protection of the Personal Data, if you discover that an unlawful processing of your data is taking place or your rights in respect of your personal data has been breached.

PRIVACY POLICY

The “CovScan” application has been designed for the execution of the verification/checking of the authenticity, validity and integrity of the digital Covid-19 certificates, hereinafter “the application”, which is based in the context of the implementation of the Regulation (EU) 2021/953 and the Infectious Diseases (Determination of Measures for the Prevention of the Spread of the COVID-19 Coronavirus Decree of 2021) Decrees, issued by the Minister of Health of the Republic of Cyprus.

Specifically, the Regulation provides for the mutual recognition of the certificates issued by EU Member states to citizens in order to facilitate the free movement, between Member States. Therefore, your personal data entered therein shall be processed in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679, hereinafter “the GDPR”, and the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Movement of Such Data Law of 2018, L.125(Ι)/2018, hereinafter “the National Legislation”, both constitute “the legislative framework for the protection or personal data”.

Data Controller

The controller of the data stored in the EU digital Covid-19 Certificate and which its validity is checked through the CovScan Application is the Ministry of Health. For questions regarding the processing of personal data and the exercise of your rights by virtue of the GDPR, you may contact the Data Protection Officer of the Ministry of Health via the email address director@mphs.moh.gov.cy.

Object and legal basis of the processing

The Ministry of Health collects, processes and keeps your personal data pursuant to the basic principles governing the Legislative framework on the protection of personal data, i.e., the principles of legality, purpose, limitation, transparency, minimisation, accuracy, limitation of storage period, confidentiality and integrity and accountancy, for the following purposes:

The application aims at facilitating the mutual recognition, verification of the validity and use of the digital Covid-19 certificates issued by the Republic of Cyprus and the EU Member States, ensuring the coordinated lifting of restrictive measures and the safe and free cross-border movement.

The digital certificate has been designed based on the needs of the Member States to progressively lift the restrictive measures against the Covid-19 pandemic, since it will be used as a proof of vaccination, test result or recovery, safeguarding public health in response to the redispersion of Covid-19.

The CovScan application has been designed in accordance to the principle of minimisation, which means that the application uses only the available public keys for the required verification of the validity, authenticity and integrity of the certificates. For verification purposes, only the validity and authenticity of the certificate is checked, by verifying who issued and signed it.

In view of the use of CovScan application, the Ministry of Health, being the Data Controller, ensures that it respects the rights of the users of CovScan application, safeguarding that the data kept in the application and contained in the EU Digital Covid-19 Certificate shall neither be processed nor used for any reason other than for verifying the authenticity and validity of the QR code of each certificate. No personal data is transmitted or permanently stored during the verification and checking procedure.

In particular, the data controller undertakes the hosting of public national keys, with the aim of verifying and updating the digital signatures contained in the QR codes of the citizens’ certificates, without any processing of personal data. Specifically, in order to achieve the confirmation of the cross-border data, only the validity and authenticity of the certificate will be checked, through the verification of the digital signature, by the Issuance Authority of the certificates.

The validity checks carried out in the application do not trigger any server request, as they performed using the QR code, without any personal data being transmitted. The information system checks the validity, integrity and authenticity of the digital Covid-19 certificate through the unique certificate identifier and the QR code.

The design and implementation of this application is based on the provisions of Regulation (EU) 2021/953 and the recommendation of the European Network eHealth on the technical specifications of the solution.

Categories of data subjects

Passengers/citizens wishing to use their EU digital Covid-19 Certificates in order to freely move within EU member states. Therefore, the CovScan application is used for the secure verification/checking of the validity, integrity and authenticity of the digital Covid-19 certificates.

How to install and operate the CovScan application

  • The installation of the CovScan application on the mobile phone and its use is voluntary for users.
  • Once the CovScan application is installed, the camera must be activated for the electronic checking of Covid-19 certificates either form paper or mobile devices by means of scanning. The QR is scanned using the camera.
  • Once the QR code is scanned, the application user will be notified for the results/indications:
    • indication in red colour for invalid certificates,
    • indication in yellow colour for valid certificates with a negative test result,
    • indication in green colour for valid certificates with a proof of vaccination or recovery
  • The application displays only the indication with the corresponding colour, the full name and the date of birth of the certificate holder for identification purposes.
  • The information is displayed to users only until they leave the corresponding view in the application or within a timelapse of 15 seconds. No certificate content data is stored.

Use of the Camera

The user of the CovScan Application must give his/her permission for the use the camera. If the access to the camera is not granted the scanning of the QR code and the verification of the digital Covid-19 certificate will not be possible to take place.

Data Recipients

The controller ensures that your data included in the EU digital Covid-19 certificate shall not be disclosed to recipients unless permitted by the legislative framework on the protection of personal data and according to national and EU law.

During the checks at the points of entry of an EU Member State, the authorised officers shall be able to proceed to the necessary verification of the authenticity, integrity and validity of the QR code, using verifying handheld devices. This ensures that during the verification process the data contained in the digital Covid certificate shall not be further processed or/and stored.

In the cases, specified by the Infectious Diseases (Determination of Measures for the Prevention of the Spread of the COVID-19 Coronavirus Decree of 2021) Decrees, issued by the Minister of Health, the authorised officers shall be able to procced with the required verifications/checks through the use of the CovScan application.

Duration of Application Use

The CovScan application shall be open for public use during the validity of the Regulation (EU) 2021/953 on EU digital Covid certificates (paragraph 49).

“Where a Member State has adopted or adopts, on the basis of national law, a system of COVID-19 certificates for domestic purposes, it should ensure for the period of application of this Regulation that certificates making up the EU Digital COVID Certificate can also be used and are also accepted for domestic purposes, in order to avoid that persons travelling to another Member State and using the EU Digital COVID Certificate are obliged to obtain an additional national COVID-19 certificate”.

Exercise of the data subject’s rights

In accordance with the Legislative framework for the protection of personal data, you have the following rights, which you may exercise at any time within the period of validity of Regulation (EU) 2021/953:

Right of access (Article 15 of the Regulation): You may have access to your personal data and receive additional information about their processing, as well as a copy of these data.

Right to erasure (Article 17 of the Regulation): You have the right to request the erasure of your data under the conditions of Article 17 of the Regulation.

Right to restriction of processing (Article 18 of the Regulation): You have the right to request the restriction of processing of your data under the circumstances provided for by Article 18 of the Regulation.

You may exercise any of the above rights, as well as make any request by communicating with the Data Protection Officer of the Ministry of Health using the email address director@mphs.moh.gov.cy.

Moreover, you reserve the right to file a complaint to the competent supervising Authority, The Commissioner of the Protection of the Personal Data, if you discover that an unlawful processing of your data is taking place or your rights in respect of your personal data has been breached.