EESZT Application- Privacy Policy

effective as of 25 June 2021
 

Content of the Privacy Policy
 

Government Decree 60/2021. (12 February) on the certifying immunity to coronavirus (hereinafter: Decree) Section 4 regulates the application for certifying vaccination against coronavirus. Pursuant to the Decree, the National Directorate General for Hospitals (hereinafter: NDGH, or OKFŐ in Hungarian), as the operator of EESZT, provides the EESZT Application (hereinafter: Application) to the data subjects.

Following the identification of the data subject, the Application verifies the relevant data of the data subject based on the data queried from the EESZT in connection with the:
 

•Hungarian Vaccination Certificate

•EU Vaccination Certificate

•EU Test Certificate and

•EU Recovery Certificate (hereinafter collectively: Digital Covid Certificates)

 

The purpose of the Application is to provide information about Digital Covid Certificates. The information available in the Application is based on the data stored in the EESZT, which are queried using the Social Security Number.

The Application has the following features:
 

•sign-in,

•displaying the Hungarian Vaccination Certificate,

•additional functions,

•displaying the EU Vaccination Certificate,

•displaying the EU Test Certificate,

•displaying the EU Recovery Certificate

 

OKFŐ hereby informs the Users as Data subjects about the data processing implemented in connection with the Application.

 

Definitions
 

Application: The EESZT application provided by NDGH as the operator of the EESZT certifies the Hungarian Covid19 vaccination and EU Covid19 protection.

Personal data: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject /User: Natural person using the Application.

EESZT: Electronic Health Service System (https://www.eeszt.gov.hu/).

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law.

Processor: Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Consent of the data subject: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

 

The terms used in this Policy are consistent with:

  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act),
  • Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data (hereinafter: Health Data Act),
  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR),
  • Act V of 2013 on the Civil Code (hereinafter: Civil Code),
  • with the concepts of the Hungarian National Authority for Data Protection and Freedom of Information’s prior information recommendations on data protection requirements.

 

CONTACT DETAILS OF THE CONTROLLER

 

With regard to the data processing related to the use of the Application and the sign-in, the Controller is the National Directorate General for Hospitals (NDGH) (hereinafter: NDGH or Controller).
 

Address: 3 Diós árok, 1125 Budapest, Hungary

E-mail: helpdesk.eeszt@okfo.gov.hu

Telephone: (+36 1) 356-1522

Web: https://e-egeszsegugy.gov.hu/

 

Contact details of the data protection officer
 

Name: Dr. Sebestyén Kálmán

e-mail: sebestyen.kalman@okfo.gov.hu
 

The place of the processing is Hungary.

 

CONDITION, LEGAL BASIS, PURPOSE, TYPE AND PERIOD OF DATA PROCESSING

 

In order to install the Application, the User does not need to record any of her/his personal data, but the use of the Application is subject to sign-in.

To log in, User must first identify herself/himself with her/his Digital Gateway credentials and then enter her/his social security number. The Digital Covid certificates will be queried from the EESZT using this social security number. Sign-in without a social security number is not permitted.
 

Pursuant to Section 4 (3) of the Decree the Application displays:

a) the name of the data subject,

b) the social security number (‘TAJ’) of the data subject,

c) time of vaccination,

d) the fact or lack of protection against infection.

The Application also displays the EU Digital Covid Certificates detailed in Section 2.

The data processing activity specified below is based on the following legal bases.

 

  1. Data processed in order to display the Hungarian Vaccination Certificate

Under Hungarian Vaccination Certificate section in the menu of the Application, User can find information on how to verify her/his vaccination.

The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded Hungarian Vaccination Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:

Types of processed personal data

Purpose of the processing

Duration of the processing

Legal basis of processing

TAJ

To display the Hungarian Vaccination Certificate.

The Application stores the TAJ until the User logs out of the Application or deletes the Application.

The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest.

name;

target;

vaccination(s) date;

vaccination(s) type

To display the Hungarian Vaccination Certificate in offline mode.

The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in.

The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject.

 

  1. The EU Digital Covid19 Certificate system

The EU Digital Covid19 Certificate system covers three different types of Covid19 certificates: a vaccination certificate (point 2.1.), a test certificate (point 2.2.), and a certificate of recovery (point 2.3.). The processing related to EU Digital Covid19 Certificates has been designed in accordance with the provisions of the Regulation (EU) 2021/953 of the European parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID19 pandemic.

 

  2.1 Data processed in order to display the EU Vaccination Certificate

Under EU Vaccination Certificate section in the menu of the Application, User can find information on how to verify her/his vaccination in the EU.

The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Vaccination Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:

Types of processed personal data

Purpose of the processing

Duration of the processing

Legal basis of processing

TAJ

 

To display the EU Vaccination Certificate.

The Application stores the TAJ until the User logs out of the Application or deletes the Application.

The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest.

name;

date of birth;

unique certificate identifier;

disease or agent targeted: COVID19 (SARS-CoV-2 or one of its variants);

COVID19 vaccine or prophylaxis; COVID19 vaccine product name;

COVID19 vaccine marketing authorisation holder or manufacturer;

number in a series of doses as well as the overall number of doses in the series; date of vaccination, indicating the date of the latest dose received;

Member State or third country in which the vaccine was administered; certificate issuer

To display the EU Vaccination Certificate in offline mode.

The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in.

The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject.

 

  2.2. Data processed in order to display the EU Test Certificate

Under EU Test Certificate section in the menu of the Application, User can find information on which Covid19 test (s) have been recorded.

The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Test Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:

Types of processed personal data

Purpose of the processing

Duration of the processing

Legal basis of processing

TAJ

To display the EU Test Certificate.

The Application stores the TAJ until the User logs out of the Application or deletes the Application.

The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest.

name;

date of birth;

unique certificate identifier;

disease or agent targeted: COVID19 (SARS-CoV-2 or one of its variants);

the type of test;

test name (optional for NAAT test);

test manufacturer (optional for NAAT test);

date and time of the test sample collection; result of the test;

testing centre or facility (optional for rapid antigen test); Member State or third country in which the test was carried out; certificate issuer

To display the EU Test Certificate in offline mode.

The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in.

The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject.

 

  2.3. Data processed in order to display the EU Recovery Certificate

Under EU Recovery Certificate section in the menu of the Application, User can find information on on whether the fact of recovery from Covid19 infection has been recorded.

The User can turn simplified sign-in on and off at any time. When using the simplified sign-in, the Application stores the previously downloaded EU Recovery Certificate’s data in the memory of the User’s phone which enables to view them even without internet connection. Without turning on simplified sign-in, the Application only stores the TAJ. The data processing in these cases is as follows:

Types of processed personal data

Purpose of the processing

Duration of the processing

Legal basis of processing

TAJ

To display the EU Recovery Certificate.

The Application stores the TAJ until the User logs out of the Application or deletes the Application.

The processing is based on GDPR Article 6 (1) e): processing is necessary for the performance of a task carried out in the public interest.

name;

date of birth;

unique certificate identifier;

disease or agent from which the holder has recovered: COVID19 (SARS-CoV-2 or one of its variants);

date of the holder’s first positive NAAT test result;

Member State or third country in which test was carried out; certificate issuer; certificate valid from; certificate valid until (not more than 180 days after the date of first positive NAAT test result)

To display the EU Recovery Certificate in offline mode.

The Application stores additional data - except TAJ - until the withdrawal of consent, whereby the User turns off the simplified sign-in.

The processing is based on GDPR Article 6 (1) a) and GDPR Article 9 (2) a): consent of the Data subject.

 

DATA PROCESSOR
 

The court, the prosecutor, the investigating authority, the police, the administrative authority, the National Authority for Data Protection and Freedom of Information or other bodies authorised by law may request the Controller to provide information, to disclose or transfer data, or to provide documents. The Controller shall disclose to public authorities - provided that the public authority has indicated the precise purpose and scope of the data - personal data only to the extent strictly necessary for the purpose of the request.

 

RIGHTS OF THE DATA SUBJECT

 

The rights of Users as data subjects are provided by the Controller as follows.

 

The User may exercise her/his rights in accordance with the rules applicable to the EESZT system, either in person at any Government Window or electronically by submitting the corresponding dedicated e-Paper form.

 

  1. Information and access to personal data

The data subject has the right to access his or her personal data held by the Controller and information about their processing, and to ask for the data to be provided to him or her at any time, and to check the data that the Controller holds about him or her, and to have access to the personal data.

 

  1. Right to rectification and completion of personal data processed

At the request of the data subject, the Controller shall, without undue delay, rectify inaccurate personal data corrected by the data subject in writing or complete the incomplete data with the content indicated by the data subject.

 

  1. Right to erasure

At the request of the data subject, the Controller shall delete personal data concerning the data subject without undue delay where one of the grounds specified applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Controller;
  • the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • the personal data have been unlawfully processed by the Controller;
  • personal data are collected in relation with the provision of information society services directly to children.

 

  1. Right to restriction of processing

The data subject shall have the right to obtain, upon written request, restriction of processing by the Controller if:

  • the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the Controller to verify the accuracy of the personal data,
  • the data processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
  • The Controller no longer needs the personal data for the purposes of processing but they are required by the data subject for the establishment, exercise or defence of legal claims,
  • the data subject has objected to the processing.

 

  1. Right to data portability

The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a Controller in a structured, commonly used, machine-readable format and have the right to transmit such data to another Controller without hindrance from the Controller to which he or she has provided the personal data, where:

the processing is based on consent by the data subject or the data subject has given his or her explicit consent to the processing, or is based on a contract; and
the processing is carried out by automated means.

 

  1. The right to protest

Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on legitimate interest or in the public interest, including profiling. In such a case, the Controller shall no longer process the personal data, unless the Controller demonstrates compelling legitimate grounds for the processing which override the rights of the data subject or are necessary for the establishment, exercise or defence of legal claims.

 

  1. Deadline for fulfilling the request

The Controller shall inform the data subject of the action taken without undue delay, but within one month of receipt of the request. Taking into account the complexity of the request and the number of requests, this period may be extended by a further two months where necessary, but in that case the Controller shall inform the data subject within one month of receipt of the request, together with the reasons for the delay. Where the data subject has made the request by electronic means, the information shall be provided by the Controller by electronic means, unless the data subject requests otherwise.

The data subject cannot enforce his or her rights if the Controller proves that he or she is not in a position to identify the data subject. If the data subject's request is manifestly unfounded or excessive (in particular in view of its repetitive character), the Controller may charge a reasonable fee for complying with the request or refuse to act. The burden of proof shall lie with the Controller. If the Controller has doubts as to the identity of the natural person making the request, it may request further information necessary to confirm the identity of the data subject.

 

ENFORCING RIGHTS
 

Any questions, comments or complaints about data management can be addressed to the Controller's staff via the Contact Centre of the EESZT. The data subject may exercise her/his rights by sending a request via e-mail or post. No rights can be exercised via telephone.

The data subject shall enforce her/his rights under the GDPR, the Privacy Act and the Civil Code as well as he/she:

  • can contact the National Authority for Data Protection and Freedom of Information (9-11 Falk Miksa str, 1055 Budapest, Hungary; 1363 Budapest, Pf. 9.; ugyfelszolgalat@naih.hu; www.naih.hu) or
  • enforce her/his rights in court.

 

DATA SECURITY

The Controller undertakes to ensure the security of the data, to take technical measures to ensure that the data recorded, stored or processed are protected and to take all necessary measures to prevent their destruction, unauthorized use or unauthorized alteration. It also undertakes to require any third party to whom it may transfer or disclose the data to comply with its obligations in this respect.

 

OTHER PROVISIONS

The Controller reserves the right to unilaterally amend this Privacy Policy. After the amendment has entered into force, the Controller shall ensure that the amended Privacy Notice is made available and accessible to the data subjects.

EESZT Covid Control application – Privacy Notice

Effective as of 28 June 2021.
 

Introduction

Under Governmental regulation 60/2021. of 12 February 2021 about the certification of immunity against Covid19, the official certificate (hereinafter: Immunity Certificate) and application (hereinafter: EESZT application) in accordance with the regulation are dedicated to officially verify immunity against Covid19.

On the Immunity Certificate, data specified in the legal regulations are displayed in the form of a readable QR code, moreover the EESZT application presents the certification of vaccination (Hungarian vaccination certificate) with a digital QR code.

The framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic is set in REGULATION (EU) 2021/953 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 June 2021. To ensure the interoperability of and equal access to the certificates making up the EU Digital COVID Certificate for all citizens, in Hungary such certificates are issued in both digital and paper-based format, both with QR codes incuded. In digital format EU Covid19 Vaccination Certificate, EU Covid19 Test Certificate and EU Covid19 Recovery Certificate data are presented in the EESZT application.

The National Directorate General for Hospitals (hereinafter: Service Provider) provides a mobile application (hereinafter: Application or EESZT Covid Control application) to read the above mentioned QR codes, so the content of the Covid19 certificates can be authentically verified.

 

About the Application

Internet connection is needed to download the Application. To install the Application, the user of the Application (hereinafter: the User or You) does not need to add any personal data, the Application is not subject to registration.

By scanning the QR code on the above mentioned certificates, the Application displays data specified in Hungarian and EU regulations in order to authentically verify the content of the certification.

 

Query process

To check the content of the Covid19 immunity certification (hereinafter: query), User needs to scan the QR code by clicking the Scan button.

To scan the QR codes, You will need to allow access to the camera on your mobile device. When using the camera, no photo is taken, the camera image is not stored or transmitted, it only allows you to scan the QR code.

Therefore in the case of allowing access to the camera, there is no data processing by the Service Provider.

QR codes do not contain personal data by themselves, they function as verification keys. After scanning the QR code it is checked and in the case of a valid QR code, the Application presents data in a built-in browser.

Checking the content of the Covid19 immunity certificate does only require internet access if the verification keys were updated more than 24 hours ago. Without an update the Application cannot guarantee that the validity of the EU standard QR codes will be displayed correctly. To update the Application automatically, You should connect your device to the Internet, or if automatic update is unsuccessful, please click on the Refresh button.

 

Data storing, data processing

The application does not store or transmit data about queries or their results, therefore there is no data processing.

In the case of allowing access to the camera, due to the above mentioned there is no data processing.