In recent days, our law firm has contributed to the issuance of an important decision in the European field, specifically at the Court of Justice of the European Union (hereinafter referred to as the“CJEU„), which ruled on a preliminary question filed by the Supreme Administrative Court of the Czech Republic (hereinafter referred to as the „SAC„). The preliminary question was raised in national court proceedings in which we represent our client in a trial against the Ministry of Health of the Czech Republic (hereinafter referred to as the „Ministry of Health„) on the legality of emergency measures from the period of covid legislation.
In its recent decision, the highest court instance in the European Union fully upheld a constant legal opinion held by our law firm, that the inspections carried out by the Czech “čTečka” mobile application, which was used for validation of so called covid certificates, constituted data processing within the meaning of the General Data Protection Regulation framework (hereinafter referred to as the “GDPR”).
As part of the national proceedings, our client seeks the annulment of the covid-era Emergency measure of the Ministry of Health dated 29 December 2021, ref. no. MZDR 14601/2021-34/MIN/KAN (hereinafter referred to as the „Emergency measure„), which was issued by the Ministry of Health. The Emergency measure, simply put, established the obligation of customers to present the so called covid certificates in certain businesses in order to prove compliance with the conditions of the so-called infection-free status. It was compulsory that certificates were verified by the “čTečka” mobile application by the respective businesses.
In November 2021, our law firm expressed its unequivocal opinion in the article „Visiting a Restaurant – Right or Privilege“ that such an inspection constituted an inadmissible invasion of privacy, and that is partly also because the GDPR was violated. The infringement consists in imposing the obligation to validate the covid certificates with the „čTečka“ mobile application – therefore imposing the obligation to process sensitive personal data.
The „čTečka“ mobile application worked as follows. The inspected person submitted his/her so-called covid certificate in electronic or paper form to the operator of the regulated service. The operator than scanned the QR code in the respective covid certificate using the „čTečka“ application. After scanning of the relevant QR code, which was submitted by the customer (restaurant goer, theatre visitor etc.), a whole range of personal data was made available the display of the mobile device. The application made available to the controlling persons (operators, organizers) not only the name of the inspected person, but also the date of birth and information about either vaccination against COVID-19, negative-covid-test status, or status of recovery from COVID-19. Theapplication then and finally evaluated whether the inspected person met the conditions set by the Emergency measure and could enter the respective regulated service.
With regard to its previous case law, the Supreme Administrative Court questioned whether the above-described process of checking the „čTečka“ applications falls within the material scope of the GDPR, as it has previously stated, that a simple visual check without the application does not constitute data processing, though admitting that it may be different in the case of “čTečka”. The SAC then held that such a question has not yet been addressed in the case law of the CJEU. The essence of the SAC’s uncertainty was simply the fact that the „čTečka“ mobile application in fact displays the same set of data as the paper or electronic form of the certificate.
The SAC asked the CJEU to answer the question of whether the use of čTečka and the verification of compliance with the conditions of non-infectiousness involved the so-called automated processing of personal data within the meaning of Article 4 (2) of the GDPR Regulation and whether the mobile application of the Ministry of Health „čTečka“ falls within the material scope of the GDPR Regulation.
The CJEU ruled on the preliminary question referred to it by the SAC rather unequivocally, namely that the using and verifying of the data in the covid pass for confirmation of compliance with the conditions of so called non-infectiousness status using the „čTečka“ mobile application, constitutes automated processing of personal data and  the „čTečka“ application must therefore meet all the conditions set out in the GDPR.
This decision of the CJEU is essential not only for the decision in the matter of the national proceedings before the SAC, but also for any further use of (not only mobile) applications through which any personal data is processed. The general takeaway from the decision of CJEU is that every scanning of QR codes containing personal data constitutes processing of personal data with all the consequences arising from the GDPR.
The proceedings on the annulment of the Emergency measure will continue before the Czech SAC, and it is now up to the SAC to assess the overall legality of the Emergency measure, especially with regard to the fact that the Emergency measure actually imposed an obligation on them to process personal data.
In practice, however, it is clear that operators of the regulated businesses often were not aware, that the Ministry of Health had put them in the role of controllers and processors of sensitive personal data by the making the use of the „čTečka“ mobile application mandatory. It is also very likely that the Ministry of Health had given them a tool that processes personal data in violation of the GDPR.
Regardless of the outcome of the proceedings, the CJEU’s decision significantly strengthens the legal certainty of personal data subjects – i.e., practically everyone. However, the fact that „čTečka“ processed personal data is only a symptom of the fact that the entire Emergency measure in fact forced the operators of regulated businesses to interfere with the privacy of their customers and imposed a legal obligation on customers to have their privacy interfered with. Among other things, the SAC will have to deal with the compliance of the mobile application of „čTečka“ with the fundamental human rights of each citizen, specifically the right to the protection of privacy, which in Czech republic is protected and guaranteed by the Charter of Fundamental Rights and Freedoms in Article 7 and Article 10, as well as the right to the protection of personal data, which is protected by the GDPR Regulation.
 within the meaning of Art. 4 indent 2) of the GDPR Regulation and in accordance with Art. 2 para. 1 GDPR