On 5 October, the Court of Justice of the European Union (CJEU) delivered its ruling in Case C-659/22 (Ministerstvo zdravotnictví – Application mobile Covid-19).
In this case, a mobile app scans the QR code of the COVID certificates. The app functions with the mobile phone camera used by the person in charge. By clicking a certain button in the app, the person in charge has temporary access to a number of information mentioned in the certificate (e.g., name, date of birth, vaccination, type of vaccine, producer of vaccine, number of doses, date of vaccination).
The COVID app temporarily shows such personal data on the screen of the mobile phone of the person in charge, but the data are neither stored in nor transferred from the app/phone.
In this case, the app allows the person in charge to consult, by automated means, the personal data and use them in order to evaluate if the status of the data subject is compliant with the sanitary rules. The result of such evaluation is also automated (a green tick or, respectively, a red cross appears on the screen).
According to the CJEU, the notion of “processing” under the GDPR has a broad scope. The Article 4 paragraph 2 of GDPR employs the expressions “any operation” and “such as”, which means that the list of actions qualified as “processing” under such definition stand only as examples.
Thus, the Court decided that the verification, by means of the mobile app described above, of the validity of the COVID-19 certificates represents a “processing” in the sense of GDPR.
Even if matters related to COVID-19 are fortunately no longer topical, this CJEU decision has an important consequence for mobile apps and other technical developments which become more and more popular today. Thus, the Court ruling settles a long-running debate, confirming that the mere showing of some information on a screen may constitute data processing, even if this data is not stored or further transferred.
The CJEU judgment is available here (currently available in French).