Data Protection

Guidelines for CovidCheck and personal data

With the introduction of CovidCheck in companies just days away, the CNPD answers questions from employers and employees. (Photo: Guy Wolff/Maison Moderne)

With the introduction of CovidCheck in companies just days away, the CNPD answers questions from employers and employees. (Photo: Guy Wolff/Maison Moderne)

Who can check an employee’s QR code? What can be put on the list of people already vaccinated? Can event goers be asked to send their certificate by e-mail? The CNPD answers the most frequently asked questions about the introduction of CovidCheck a few days before its implementation in workplaces.

If restaurants or event organisers are starting to get used to the CovidCheck, it will soon be the turn of employers, as the 3G regime--vaccinated, tested or recovered--becomes compulsory at work from 15 January. On its website, the National Commission for Data Protection (CNPD) answers the most frequently asked questions on the subject. Here is a summary.

Who can verify the authenticity of the CovidCheck certificate?

Article 3 of the amended Act of 17 July 2020 on measures to combat the Covid-19 pandemic provides that the obligation to check the validity of the certificate must be carried out by the employer or the head of administration or another person designated by them,” writes the CNPD. If a person is appointed, it recommends that he or she be “subject to a specific duty of confidentiality towards the employer and his or her colleagues.

Under what conditions can the employer keep a list of people who have been vaccinated or recovered, so that they do not have to be checked daily?

The covid law does allow the employer or the head of the administration to keep a list of its employees or public servants who have been vaccinated or recovered. But inclusion in this list must be voluntary. “The employee or agent must give his or her explicit consent. The employer must always allow employees who do not wish to be on the list to present their certificate each time they go to work, “without suffering any negative consequences as a result of this choice”.

The only purpose of the list is to facilitate CovidCheck verification. It may not contain any information other than the names of those vaccinated or reinstated and the period of validity of the certificates. Only the operator, organiser or persons responsible for maintaining the list should have access to its contents. Registered people may request that their names to be removed “at any time without explanation or justification”.

For the time being, the list is valid until 28 February 2022. If there is no change in the law, it must be destroyed by that date.

Can the validity result of a certificate be linked to the entry badge?

“Yes, under certain strict conditions,” replies the CNPD. As with the list, the concerned employees or agents must have given their prior consent to this processing.

Can the employer ask the employee for identification to verify that they are the certificate holder?

Yes, the notion of “identity document” applies here “in a broad sense and not limited to an identity card or a passport, but may include any official document, such as a driving licence or a student card, which therefore includes a photograph of the person concerned.”

The mere fact that the person in charge of the check views the personal data on an identity document does not constitute data processing within the meaning of the General Data Protection Regulation (GDPR), the CNPD said. On the other hand, “employers may under no circumstances keep a copy of such documents for this purpose.”

If the application malfunctions, can the employer check the certificates manually?

Yes, but only in exceptional cases. “Before any manual verification, the employer or the head of administration should provide a back-up system,” the CNPD says. As the paper version contains more information than that obtained via the application, “such verification should be avoided as much as possible”. It is only possible if the employee disputes the result displayed after the QR code scan, or if the scan does not work for technical reasons. The persons responsible for verification and subject to a duty of confidentiality may then manually check the certificate.

Can employers check their employees remotely?

“A check on the validity of the certificate is not necessary when the employee or agent is teleworking,” the CNPD reminds us.

However, if a check has to be carried out remotely because the employee is, for example, working at different locations, the CNPD “recommends the implementation of the least intrusive means possible”. Like reading the QR code directly by video conference. The employer could also ask the employee to send his QR code by e-mail, but not the rest of the information on the certificate. It would then have to be transmitted securely, “via professional e-mail addresses”. Only the employer or a person designated by the employer should be able to access it and it should be deleted from the e-mail box once the check has been carried out.

In addition to the list of those vaccinated, can the employer carry out a survey to find out how many people in the company have been vaccinated?

In principle, no. “Only competent health professionals have the right to collect, implement and access any medical forms or questionnaires from employees containing data on their health.” Such collection would only be possible by the employer in exceptional cases, on a voluntary basis, entirely anonymous and without the possibility of re-identification. “It would be up to the employer to demonstrate that no data could be used to re-identify the participants in the questionnaire, which in any case seems very complicated in small companies.”

What happens if an external company checks the employees?

The CNPD reminds that the QR code scan is considered as personal data processing. “If the company or administration delegates the control to an external company, it should provide a subcontracting agreement with this external company meeting the conditions of Article 28 of the GDPR."

What about visitor control?

The law obliges employees to undergo the CovidCheck scheme when travelling to their place of work. It also allows “any employer or head of administration to place all or part of his or her business or administration under the CovidCheck regime, for external persons”. In this case, “the CNPD recommends that employers provide an area not subject to the CovidCheck regime and accessible to the public in order to ensure the continuity of the company's or administration's services, thus avoiding the need to check the certificates of persons who do not need to have access to all the premises and/or to stay for a long time. In the public sector, Article 3 of the aforementioned law states that access to the public service and the continuity of the public service must be guaranteed.”

What are the rules when organising an event?

For leisure activities such as the organisation of events, “the operator or organiser must only consult the data visible during the CovidCheck verification, as well as an identity document in order to verify the identity mentioned on the certificate presented, without keeping it”. They may not keep a copy of the certificates or the identity document but may “collect and keep on a voluntary basis the names of vaccinated or reinstated persons and the period of validity of their certificates, in order to establish a list of vaccinated or reinstated persons when they regularly access a given establishment or regularly participate in activities or events subject to the CovidCheck regime.” The conditions are similar to those for the list of vaccinated employees. “The operator or organiser may delegate the maintenance of this list to one or more of its employees or to one or more external service providers,” the CNPD adds.

Can participants be asked to send their certificate by e-mail in advance?

No, says the CNPD. “The practice of asking people to send the certificate by e-mail in advance is problematic in terms of the principles of data minimisation, security and confidentiality. Indeed, according to the law, it is sufficient to ask people who have to go to a place under the CovidCheck regime to present their certificate on the spot.”

This story was first published in French on Paperjam. It has been translated and edited for Delano.