Article 10 — Protection of personal data
- Regulation (EU) 2016/679 shall apply to the processing of personal data carried out when implementing this Regulation.
- For the purpose of this Regulation, the personal data contained in the certificates issued pursuant to this Regulation shall be processed only for the purpose of accessing and verifying the information included in the certificate in order to facilitate the exercise of the right of free movement within the Union during the COVID-19 pandemic. After the end of period of the application of this Regulation, no further processing shall occur.
- The personal data included in the certificates referred to in Article 3(1) shall be processed by the competent authorities of the Member State of destination or transit, or by the cross-border passenger transport services operators required by national law to implement certain public health measures during the COVID-19 pandemic, only to verify and confirm the holder’s vaccination, test result or recovery. To that end, the personal data shall be limited to what is strictly necessary. The personal data accessed pursuant to this paragraph shall not be retained.
- The personal data processed for the purpose of issuing the certificates referred to in Article 3(1), including the issuance of a new certificate, shall not be retained by the issuer longer than is strictly necessary for its purpose and in no case longer than the period for which the certificates may be used to exercise the right to free movement.
- Any certificate revocation lists exchanged between Member States pursuant to Article 4(2) shall not be retained after the end of period of the application of this Regulation.
- The authorities or other designated bodies responsible for issuing the certificates referred to in Article 3(1) shall be considered to be controllers as defined in point (7) of Article 4 of Regulation (EU) 2016/679.
- The natural or legal person, public authority, agency or other body that has administered a COVID-19 vaccine or carried out the test for which a certificate is to be issued shall transmit to the authorities or other designated bodies responsible for issuing the certificates the personal data necessary to complete the data fields set out in the Annex.
- Where a controller as referred to in paragraph 6 uses a processor for the purposes referred to in Article 28(3) of Regulation (EU) 2016/679, no transfer of personal data by the processor to a third country shall take place.