CJEU case C-659/22 Ministerstvo zdravotnictví (COVID19 mobile application) – CJEU Judgment (Czech Republic, 2023)

During the COVID-19 pandemic, the Czech Ministry of Health made access to premises and events dependent on certain conditions, such as vaccination or a negative test. The operators of several commercial activities were required to check the fulfilment of these conditions with regard to their clients by means of a specific app developed by the government. Operators were requested to scan the COVID certificate of clients and verify with the app that the certificate was valid. An action for annulment against the decree setting these rules was brought before an administrative court. The court referred some preliminary questions to the CJEU. In particular, the court aimed to know whether the conversion of personal data from a machine-readable form (the QR code on the COVID certificate) to a human-readable one (the information displayed on the app) could be considered processing of personal data pursuant to Article 4(2) GDPR. The CJEU stressed in the first place that the concept of ‘processing’ pursuant to Article 4(2) GDPR has a very broad meaning, which is necessary to guarantee the effectiveness of the right to data protection. The verification process in the case at issue fell within such a broad scope, as it requires the use of personal data. In addition, the CJEU noted how Regulation 2021/953 – as the piece of legislation establishing common rules about the ‘EU Digital COVID Certificate’ – explicitly provides a legal basis of the verification process under Articles 6(1)(c) and 9(2)(g) GDPR. Therefore. the scanning of COVID certificates by means of an app constitutes ‘processing’ of personal data pursuant to Article 4(2) GDPR.