Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Schleswig-Holstein: ULD issues statement on storage of COVID-19 documentation
The Schleswig-Holstein State Commissioner for Data Protection ('ULD') issued, on 1 November 2021, a statement which details its view on the storage, by restaurants and accommodation providers, of COVID-19 tests and recovery and vaccination certificates of individuals. In particular, the ULD noted that guests are increasingly being asked by restaurants and accommodation providers to present proof of negative COVID-19 tests, as well as recovery and vaccination status, which are then photographed or scanned, or to transmit them in advance.
Furthermore, the ULD highlighted that information regarding test results and the recovery or vaccination status of individuals constitutes health data, pursuant to Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). As such, the ULD considered that a legal basis for the processing of information of this kind can only result from Article 6(1), in conjunction with Article 9(2), of the GDPR. Accordingly, the ULD addeed that an obligation to store evidence on the COVID-19 status of an individual may only result from Schleswig-Holstein's Ordinance to Combat the Coronavirus SARS-CoV-2 of 15 September 2021('Corona-BekämpfVO') and highlighted that, while the Corona-BekämpfVO requires certain establishments to accommodate guests solely if these have been vaccinated, tested, or have recovered, it does not impose in any way an obligation to store, nor to collect in advance, evidence on the same. Therefore, the ULD concluded that the processing of information on tests' results and the recovery or vaccination status of individuals is unlawful without a legal basis, and ordered that such information be deleted immediately.
Moreover, the ULD considered that, regarding health data, higher requirements must be met in relation to the appropriate technical and organisational measures, pursuant to Article 24(1) of the GDPR, and further highlighted that this also applies to the transmission, including by email, of test results and recovery and vaccination certificates.
You can read the statement, only available in German, here.