Vaccinated persons not included in the limit of persons allowed to participate in events
The provisions of the Regulation of the Council of Ministers of May 6, 2021 on the establishment of certain restrictions, orders and prohibitions in connection with the occurrence of an epidemic state do not entitle entities obliged to comply with the limit of persons specified in these provisions to request from them disclosure of information on vaccination against COVID-19. Evidence confirming the fact of vaccination may be presented at the initiative of the person interested in using the services of such an entity.
As information on vaccination is health data, it is a special category of personal data pursuant to Art. 9 (1) of the GDPR. Their processing is subject to stricter protection and is possible and legal after having met at least one of the conditions set out in paragraph 2 of the cited provision.
The processing of special categories of data is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subjects, in particular professional secrecy Art. 9 (2) of the GDPR.
In Poland, one of the provisions regulating the procedures in connection with counteracting the spread of the coronavirus is the Regulation of the Council of Ministers of May 6, 2021 on the establishment of certain restrictions, orders and prohibitions in connection with the occurrence of an epidemic state.
It defines, inter alia, limits of people who can participate in various events. According to its Art. 26 (16), the number of people who can participate in the event and meeting up to 25 people, which take place in the premises or building indicated as the address of the place of residence or stay of the person who organizes the event or meeting, as well as in the event and meeting up to 150 people that take place in the open air or in the premises or in a separate gastronomic zone of the sales room, referred to in Art. 9 (15) point 2 of this Regulation, does not include, inter alia, people vaccinated against COVID-19.
How can the information about the vaccination be obtained?
The provisions of the aforementioned Regulation do not regulate the possibility of requiring persons participating in such an event to provide information on their vaccination. They also do not specify who and on what terms and how can verify whether a given person is vaccinated against COVID-19. They also do not provide for "specific measures to safeguard" referred to in the above-mentioned Art. 9 (2)(i) of the GDPR.
Therefore, they cannot be considered as the basis for entitling entities obliged to comply with the limit of persons specified in these provisions to obtain information from the participants of such an event that they have undergone preventive vaccination. Thus, they are not entitled to request such data from them, and the data subject is not obliged to provide them.
In this situation, only if the person concerned gives consent to submit information on vaccination, obtaining such information may be considered as legitimate - the condition referred to in Art. 9 (2) (a) of the GDPR will be met. Importantly, the conditions for obtaining consent specified in Art. 4 (11) and Art. 7 of the GDPR must be fulfilled. This means that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data and possible to withdraw at any time.
It should also be remembered not to excessively interfere with the privacy of a person - e.g. by recording the documents presented or collected declarations of will. There are also no prerequisites for the further storage of information on vaccination after the information has been verified.
Therefore, when the data subject decides to present a vaccination certificate on a voluntary basis, it is sufficient for the controller to read it and allow the entrance of the person beyond the limit. The entity cannot store this information any longer.
With respect to the principles of the GDPR
It is worth recalling that the processing of such information should comply with the principles set out in Art. 5(1) and (2) of the GDPR. Thus, the data must be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject,
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed,
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.