Privacy statement on the protection of personal data - COVID-19 Certificate for Visitors

COVID Certificate for Visitors EUROCONTROL protects your personal data in accordance with the EUROCONTROL Regulation on Personal Data Protection adopted by its Member States and published in 2008, and its Implementing Rules which were published in 2017.

1. What is the “COVID Certificate for Visitors? Why do we collect, store and process your data?

The COVID-19 pandemic has imposed worldwide measures to avoid further spreading of the virus. As any other employer, EUROCONTROL has the obligation to ensure a safe working environment for everybody working for the Organisation. This obligation is set out in Decision XIX/1 (2021) dated 1.5.2021, and Decision XIX/4 (2021) dated 25.10.2021 of the Director General.

EUROCONTROL has implemented several measures to limit the spread of COVID-19, which have proven effective. Nevertheless, taking into account the evolution of the virus, and the fact that the Agency is not aware of the vaccination rate of external visitors, it is necessary to lay down extra measures.

In this context, a new Decision was published related to the management of the COVID-19 pandemic (Decision XIX/4 (2021)). This decision includes the processing of personal data through the verification of the EU Digital COVID Certificate (issued by EU States and the other States/territories that have joined this system) upon entry of the EUROCONTROL premises of Brussels, Luxemburg or Maastricht or through the alternative documentation sent to the Agency Medical Service.

EUROCONTROL Medical Service processes your personal data on the basis of DG Decision XIX/01 (04/07/2019) concerning the Organisation of the Division Human Resources and Agency Services.

The EU Digital COVID Certificate for Visitors is meant to ensure that the working conditions at EUROCONTROL comply with the appropriate health and safety standards and to support business continuity at EUROCONTROL. Therefore, if you do not provide an EU Digital COVID certificate or the alternative documentation sent to the EUROCONTROL Medical Service you will be refused access to EUROCONTROL’s premises.

2. What data do we collect, store and process about you?

The verification of visitors’ EU Digital COVID Certificate will be done at the reception desk of the premises.

The certificate will contain information on the holder’s name, date of birth, the EU member state issuing the certificate, and a digital certificate (QR code) that will attest that a person has been vaccinated against COVID-19, or has been tested negative for SARS-CoV-2, or has recovered from a SARS-CoV-2 infection.

The QR code of the CST only gives a green or a red result, so EUROCONTROL only verifies if the CST is valid, not the reason why (vaccinated, tested or recovered).

This procedure does not entail the storage of any personal data. The validity of the certificate is checked once at the reception, in order to obtain access to the site. No other processing is done, neither EUROCONTROL’s security guards verify which of the CST conditions are met.

Visitors who do not have an EU Digital COVID Certificate will need to inform their meeting organiser and send their documentation confidentially to the Agency Medical Service. The documentation should state that they have either been fully vaccinated against COVID-19, have a negative PCR test for SARS-CoV-2 completed in the last 72 hours prior to the event, or have recovered from COVID infection in the last 6 months. The documentation will also include the name, date of birth and confirmation of the conditions mentioned above. They will receive a confirmation by email before the event/meeting.

3. Who is your data disclosed to? Who has access to your data?

Upon arrival on site, you need to present your EU Digital COVID Certificate to the security guards, who are contractors of the company Seris. All staff members allowed to verify the EU Digital COVID Certificate, have received the necessary instructions on how to proceed and concerning the protection of confidential information and personal data.

The name and date of birth of the person presenting certificate, or any other personal or medical data, is not recorded, stored or transferred to any service.

In case a valid Digital COVID Certificate is not available, any alternative proof will be disclosed to the Medical Service of EUROCONTROL. This information is not transferred to any service.

4. How long is your data kept?

In case a valid EU Digital COVID Certificate no data will be stored. The personal data only appears on the screen when the security guards check the validity of the certificate.

In case an alternative documentation certifying the full vaccination against COVID-19, negative PCR test for SARS-CoV-2, or recovery from COVID infection needs to be presented, the Medical Service will only treat the information in the context of the meeting, no storage afterwards is foreseen.

5. What are your rights under the EUROCONTROL Data Protection Regulation?

You have the right to access, rectify, complete and update your data by contacting [email protected]. You have the right to object to the use of your personal data in some circumstances. You may also delete your personal information. You have the right to request additional information about the handling of your personal data by contacting [email protected].

6. What do we do to avoid misuse or unauthorised access to data concerning you?

EUROCONTROL is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure EUROCONTROL has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information collected from you. All people allowed to verify the EU Digital COVID Certificate, have received the necessary instructions on how to proceed.

The application used to verify the validity of the EU Digital COVID Certificate does not store any data.

If the EU Digital COVID Certificate is not available, any other data will be kept under medical secrecy, only available to the Medical Service of EUROCONTROL and for a limited amount of time as indicated above (see section 4 above).

7. What safeguards do we apply when we transfer your data to third parties?

Only the security guards and staff members allowed to verify the EU Digital COVID Certificate can access your personal data mentioned in section 2 Above. and data is not transferred to other third parties. Staff and contractors are subject to confidentiality obligations and have received instructions concerning the protection of confidential information and personal data.

8. Who can you contact if you have questions or want to make a complaint?

For any queries related to this process, you can contact the Human Resources & Services department of EUROCONTROL, via the mail address [email protected].

Complaints can be addressed to EUROCONTROL’s Data Protection Officer.