On 30 November 2023, the Supreme Administrative Court (hereinafter „SAC„) ruled that the extraordinary measures that imposed an obligation to validate the so-called infection-free status using the „čTečka“ application were illegal. The Supreme Administrative Court ruled that the validation process of the „čTečka“ application clearly infringed the right to privacy. It based its conclusions on Article 10(3) of the Charter of Fundamental Rights and Freedoms and  on the General Data Protection Regulation (GDPR).

In the opinion of the SAC, the Ministry of Health had „completely resigned“ on the assessment of  the proportionality of the infringement of the right to privacy, and „failed to make a primary consideration of what prima facie right is being interfered with by this measure„.

The extraordinary measure of 29.12.2021, no. MZDR 14601/2021-34/MIN/KAN (hereinafter the “Extraordinary measure„), issued by the Ministry of Health, in simple terms, made it obligatory to prove compliance with the conditions of so-called infection-free status on the basis of so-called covid passports, whereby the „čTečka“ application had to be used for this verification.

The Complainant, represented by our law firm, argued that, regardless of the mandatory use of the „čTečka“ verification app, the obligation to share personal data infringed our Client’s right to privacy. We argued that it is unacceptable that a customer (participant, visitor, spectator) must share sensitive personal health data in order to use elementary services. Among other things, and rather symptomatically, this was linked to the fact that during the checks using the „čTečka“ application, personal data was processed in the sense of the GDPR without meeting the conditions set out in the GDPR.

The „čTečka“ mobile application worked as follows. The inspected person submitted his/her so-called covid certificate in electronic or paper form to the operator of the regulated service. The operator than scanned the QR code in the respective covid certificate using the „čTečka“ application. After scanning of the relevant QR code, which was submitted by the customer (restaurant goer, theatre visitor etc.), a whole range of personal data was made available the display of the mobile device. The application made available to the controlling persons (operators, organizers) not only the name of the inspected person, but also the date of birth and information about either vaccination against COVID-19, negative-covid-test status, or status of recovery from COVID-19. The application then and finally evaluated whether the inspected person met the conditions set by the Emergency measure and could enter the respective regulated service.. Some of these data are particularly sensitive personal data indicative of a person’s condition, the processing of which is prohibited by the GDPR (with exceptions).

With regard to its previous case law[1], the Supreme Administrative Court questioned whether the above-described process of checking the „čTečka“ applications falls within the material scope of the GDPR, as it has previously stated, that a simple visual check without the application does not constitute data processing, though admitting that it may be different in the case of “čTečka”. The SAC then held that such a question has not yet been addressed in the case law of the CJEU. The essence of the SAC’s uncertainty was simply the fact that the „čTečka“ mobile application in fact displays the same set of data as the paper or electronic form of the certificate.

The SAC asked the CJEU to answer the question of whether the use of čTečka and the verification of compliance with the conditions of non-infectiousness involved the so-called automated processing of personal data within the meaning of Article 4 (2) of the GDPR Regulation and whether the mobile application of the Ministry of Health „čTečka“ falls within the material scope of the GDPR Regulation

The CJEU ruled on the preliminary question referred to it by the SAC rather unequivocally, namely that the using and verifying of the data in the covid pass for  confirmation of compliance with the conditions of so called non-infectiousness status using the „čTečka“ mobile application, constitutes automated processing of personal data and the „čTečka“ application must therefore meet all the conditions set out in the GDPR.

However, the conditions of the GDPR could hardly have been met, since, in the opinion of the Supreme Administrative Court, the Ministry of Health did not even realize that there would be any interference with the right to privacy, let alone that there would be the processing of personal data within the meaning of the GDPR.  In this respect, the Supreme Administrative Court stated in its judgment, inter alia, that: „The defendant did not address the right of customers to informational self-determination in the justification of the emergency measure and thus the issue of protection of personal data when proving and checking compliance with the conditions of the so-called infection-free status pursuant to Article I (15) of the emergency measure through the „čTečka“ application, as the complainant rightly argued. If the defendant did not make a primary consideration of what prima facie right is being interfered with by the measure, it could not logically consider the extent to which the interference with the right of customers to informational self-determination is proportionate.“ For this reason alone, the Extraordinary measure was, in the opinion of the SAC, unlawful.

Irrespective of the unlawfulness of the Emergency measure with regard to the unlawful interference with the right to privacy, the SAC also addressed whether the Ministry of Health had, where applicable, complied with the conditions imposed on it by the GDPR. However, from the position of the party to the proceedings, we can state that the even during the proceedings, the Ministry of Health still claimed that no processing of personal data was taking place at all. It could therefore hardly have fulfilled the conditions arising from the GDPR. The Supreme Administrative Court therefore „contented itself“ for the purposes of declaring the illegality with the fact that the Extraordinary measure did not even imply an explicit, let alone a specific, purpose of processing (as an elementary condition of any processing), considering it „irrelevant for the court to further consider how the Extraordinary measure could be in breach of the GDPR in terms of the use of the “čTečka” application, if the defendant erroneously assumed that the Regulation did not apply at all when checking compliance with the so-called infection-free conditions.“

The Supreme Administrative Court therefore did not even consider whether the obligation to validate the certificates was proportionate to the pursued objective, since it would only have examined proportionality if the legality criterion was met at all. That was not the case, since the Ministry of Health had already failed to meet event the legality criterion. It is obvious, however, at least with regard to the extent of the control of sensitive personal data, that the control by the „čTečka“ application was clearly disproportionate.

The following conclusions can therefore be drawn from the cited judgment of the Supreme Administrative Court:

• The control of the so-called covid certificates involved the processing of personal data within the meaning of the GDPR and a presented a clear interference with the right to privacy;
• In the words of the Supreme Administrative Court (SAC), the Ministry of Health, in the framework of the obligation to use the „čTečka“ application, completely resigned on the protection of the right to privacy of citizens;
• The Ministry of Health still claimed, apparently falsely, during the proceedings that it did not have to comply with the conditions set out in the GDPR;
• The imposition of the obligation of any similar control will have to comply with the principles of minimising the interference with the right to privacy and minimising the scope of personal data processed, given that it interferes with the right to privacy and the processing of personal data within the meaning of the GDPR.

The crucial fact is that the Supreme Administrative Court has confirmed inter alia that the Ministry of Health, by imposing the obligation of use of the “čTečka” app, has put at risk the personal data of all citizens who used or wanted to use regulated services at the time of the Emergency measure in an absolutely unprecedented way. The judgment discussed above de facto declared illegal the application of the „čTečka“ itself, as a tool for threatening the privacy of citizens, which operators had to use on a mandatory basis.

It cannot be but concluded that it was not only the Extraordinary measure that was illegal, as confirmed by the Supreme Administrative Court, but also the checks themselves, the implementation of which was established by the Ministry of Health as an entirely illegal obligation.

The team of AK Sudolská

---

[1] Namely the judgment of the SAC of 28 January 2022, No. 8 Ao 29/2021-98, where the SAC concluded that the mere visual inspection of certificates without the use of the „čTečka“ application does not result in the processing of personal data within the meaning of the GDPR.

Další články