To fight the COVID-19 pandemic, the EU Commission is setting up a vaccine passport system (the so-called 'Digital Green Certificate') to enable European citizens to travel easily and safely within the European Union in Summer 2021. This article examines whether Belgian companies may also use these certificates for other purposes (eg, to authorise or prohibit access to private places depending on a citizen's vaccination status).

What is the Digital Green Certificate system?

The EU Commission has published a proposed regulation which details the use of these certificates and how they will work. Three types of certificate will exist:

  • one for vaccinated citizens (the vaccination certificate);
  • one for citizens who have recovered from the virus and have COVID-19 antibodies (the certificate of recovery); and
  • one for citizens who have recently tested negative (the test certificate).

Such certificates will contain various personal data, which will vary slightly according to the type of certificate (eg, the vaccine certificate will indicate the data subject's identification, which vaccine was given, when it was given and in which EU member state). The certificates will also include a QR code, which will contain the citizen's personal data. The data will be processed by the competent authorities of the state of destination or cross-border passenger transport service operators which implement certain public health measures in the fight against COVID-19. This processing will be strictly limited to verifying the holder's status. The personal data must not be retained.

Can other Belgian service providers require citizens to provide such certificates?

The proposed regulation governs use of the certificates only for cross-border travel within the European Union. Member states are not prohibited from using the certificates for other purposes but such use should be regulated by national law. The EU data protection authorities have also emphasised this in a recent opinion.

This opinion confirms the Belgian Data Protection Authority's (DPA's) existing position. The DPA has already issued various opinions and advice regarding the processing of health data in the fight against the COVID-19 pandemic. In all of its advice, the DPA has strictly interpreted the EU General Data Protection Regulation requirement for the processing of personal data and reaffirmed the general prohibition of the processing of health data. Such data can be legally processed only if free consent is given or where it is permitted by law.

The existing legislation does not seem to allow, for example, a festival organiser to require proof of vaccination before entry to a festival because of the following reasons:

  • Consent is not possible if access to the festival is denied to people who are not vaccinated. Such consent is not considered to be freely given. Free consent can be given only if no negative consequences are attached to giving or withholding the consent. This could be, for example, where a person optionally indicates whether they have been vaccinated so that the festival organiser can collect statistical data on this fact. However, in such a case, the vaccination card could not constitute a condition of entry.
  • There is no (general) legal provision which allows such processing. Therefore, the processing of someone's certificate for purposes other than that provided in the proposed regulation would seem to be illegal.

From the third day after publication of the proposed regulation, it will be possible to use the vaccine certificate for cross-border passenger transport. For all other purposes, it will be necessary to wait for the action of the Belgian legislature.