Version: 12 July 2021
Privacy statement concerning the information systems and apps operated by the FOITT in connection with COVID-19 certificates
The processing of personal data by the Federal Administration is governed by Swiss data protection law. It applies to data processing in connection with the apps and the operation of associated information systems for issuing and revoking COVID-19 certificates. Data processing is based on the COVID-19 Act of 25 September 2020 (SR 818.102), the Ordinance of 4 June 2021 on Certificates to Prove COVID-19 Vaccination, COVID-19 Recovery or a COVID-19 Test Result (COVID-19 Certificates Ordinance; SR 818.102.2) and the Federal Act of 28 September 2012 on Combating Communicable Human Diseases (Epidemics Act, EpidA; SR 818.101).
"Personal data" means all information relating to an identified or identifiable person. In this case, primarily health data is processed, i.e. particularly sensitive personal data. "Processing" means any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of the data.
The data processing described here is under the responsibility of the
Federal Office of Information Technology, Systems and Telecommunication FOITT
Tel. +41 58 463 25 11
3.1 Information system for the management of signature certificates
The FOITT operates an information system that is used to do the following with signature certificates (cryptographic keys) in order to check the authenticity, integrity and validity of electronic signatures of COVID-19 certificates:
- exchange them with corresponding foreign systems, particularly within the framework of the EU Digital COVID Certificate system of the European Union;
- make them available to applications that are used to store and check certificates.
In this way, interoperable certificates of other countries can be checked in the participating countries. The applications for storing COVID-19 certificates need the list of signature certificates in order to be able to check the validity of the certificates stored in the app. The applications for checking COVID-19 certificates need the list of signature certificates in order to be able to check the validity of the certificates they scan. The information system processes only signature certificates and thus no personal data.
3.2 Information system for issuing COVID-19 certificates
The FOITT operates an information system which the healthcare professionals designated by the cantons and the surgeon general (so-called issuers) can use to issue and revoke COVID-19 certificates that are compatible with the EU Digital COVID Certificate. For the purposes of administration and management of the authorised issuers, the following personal data is processed in the information system:
- full name, address, email address and telephone number of the issuers;
- details of the identification provider used and the identifier by which it identifies the person concerned;
- indication of the types of certificate that may be issued by the issuers (vaccination, recovery and/or test certificates);
- date of commencement and expiry of the validity of the designation of the issuers by the canton and the surgeon general.
The issuers provide the information system with the details necessary for the issuance of the COVID-19 certificate:
- full name and date of birth of the holder of the COVID-19 certificate;
- details of the country in which the vaccine was administered or the test was carried out, and details of the issuer (Federal Office of Public Health)
- vaccination details and data concerning the vaccine administered (in the case of a COVID-19 vaccination certificate);
- details of the illness contracted and the date of the positive test result (in the case of a COVID-19 recovery certificate);
- details of the test carried out (in the case of a COVID-19 test certificate).
Issuers rely on the documents in their possession when issuing certificates.
For the issuance of COVID-19 recovery certificates, the cantons can also use an automated procedure that compares the applicant's details with the information system in accordance with Article 60 of the EpidA and adds the information on the test result. The FOITT uses a protected website to make this information available to each canton for download for a period of 10 days after appropriate authentication. The data is irrevocably deleted thereafter.
The FOITT's information system uses the transmitted data to generate a COVID-19 certificate that contains both a unique certificate identifier and a standardised barcode in accordance with the ISO specifications. It also bears a regulated electronic seal of the FOPH (signature certificate), which is used for checking the authenticity, integrity and validity of the COVID-19 certificate. The unique certificate identifier is obtained from the information contained in the respective COVID-19 certificate by means of a cryptographic hash function (SHA-384 algorithm). Hash functions are one-way or non-invertible functions. Therefore, the unique certificate identifier alone cannot be used to draw conclusions about the content of a COVID-19 certificate.
The FOITT processes the personal data of holders of COVID-19 certificates to the extent that is absolutely essential for the creation, signing and transmission of COVID-19 certificates, as well as for their revocation, and it then destroys it completely. Moreover, the FOITT takes all appropriate technical and organisational measures to protect personal data. These include, among other things, storage of the data solely on protected servers of the Confederation and the use of encrypted connections for direct transmission between the information system for issuing COVID-19 certificates and the issuers or holders of certificates.
Access to the information system, including the relevant time, and the unique certificate identifiers of the generated certificates are recorded and/or stored in order to detect and prevent any wrongful use of the information system as a result of the system or the issuers' means of authentication, etc. being compromised, as well as for the purpose of certificate revocation. This logging reveals only which issuers authenticated themselves on the information system and when, and which certificates (unique certificate identifier) were retrieved from the system. No further personal data – in particular, no certificate content data – is stored. Logging within the framework of the authentication process is based on the legal foundations in Articles 25 and 26 of the Ordinance of 19 October 2016 on Federal Identity Management Systems and Directory Services (IAMO). Logging within the framework of the use of the information system (issuance of certificates) is based on the legal foundations in Articles 57l to 57o of the Federal Act of 21 March 1997 on the Organisation of the Government and the Administration (GAOA).
3.3 Information system for calling up revoked certificates
The FOITT operates an information system that is used to call up revoked certificates and contains the unique certificate identifier of the revoked certificates. The list of revoked certificate identifiers is made available to applications used for checking and storing COVID-19 certificates. The applications for storing COVID-19 certificates need this list to check the validity and revocation status of the COVID-19 certificates stored in the app. The applications for checking COVID-19 certificates need the list in order to be able to check the validity and revocation status of the certificates they scan. No conclusions can be drawn about persons from the certificate identifier, and therefore no personal data is processed in this system.
3.4 App for storing COVID-19 certificates
The app for storing certificates is used for the secure transmission and storage of COVID-19 certificates in electronic format and for the presentation thereof in Switzerland and abroad when required. People who have applied for and received a certificate can save it on their mobile phone or a similar device (e.g. a tablet). As it is possible to store the certificates of additional people, parents can manage the certificates of their minor children, for example.
Furthermore, the app can be used to check the validity of stored certificates. The installation and use of this app are voluntary. Since COVID-19 certificates contain health data and thus particularly sensitive personal data, the software of the app for storing certificates has been programmed in such a way that content cannot be passed on without the user's consent. No personal information from the COVID-19 certificates is transmitted by the app for storing certificates to the FOITT information systems in accordance with sections 3.1 to 3.3, except in the case of voluntary retrieval of certificates with data minimisation or voluntary conversion into another electronic format by the user (see sections 3.4.2 and 3.4.3 below).
Retrieval for updating the list of signature certificates from the information system as described in section 3.1 and the list of revoked certificates (or their certificate identifiers) as described in section 3.3 may be logged on the server systems of the FOITT for the purpose of maintaining information and service security. Technical data about the user's device, such as operating system version, app version, IP address, etc., is transmitted and stored with each retrieval. The validity checks carried out in the app do not trigger any server requests, as they are performed using the locally cached lists, without any personal data being transmitted.
Appropriate measures can additionally be taken to protect COVID-19 certificates against unauthorised access by third parties. Use of the app, including merely displaying the information from COVID-19 certificates, can therefore be made dependent on authentication. All types of authentication available on the mobile phone in question (PIN, pattern, password, biometric authentication, etc.) can be used for this purpose.
3.4.2 Retrieval of certificates with data minimisation ("light certificates")
The COVID Certificate app offers the holders of valid COVID-19 certificates the option of additionally retrieving a data-minimised certificate without health data (so-called "light certificate") for use in Switzerland if they so wish. To do so, the holder can send a valid COVID-19 certificate to the information system for issuing COVID-19 certificates in accordance with section 3.2 using a function implemented in the app. The system checks the signature and validity of the (original) COVID-19 certificate, creates and signs a data-minimised certificate (QR code) if the check is successful and then sends this back to the COVID Certificate app. The transmission takes place via a direct HTTPS connection to the FOITT servers and is protected by TLS encryption.
The certificate with data minimisation contains only the surname, first name and date of birth of the person concerned, the designation of Swiss COVID-19 certificate with data minimisation ("light certificate") and the expiry date. The validity of the certificate with data minimisation is limited to the shortest validity period defined for COVID-19 certificates. It can be activated again after the end of the validity period, provided the underlying COVID-19 certificate is valid. The certificate with data minimisation can thus prevent third parties from processing health data in an unauthorised manner when COVID-19 certificates are being checked (privacy by design).
The FOITT processes the personal data from the COVID-19 certificates of the holders to the extent that is absolutely essential for the creation, signing and transmission of data-minimised certificates and then destroys it completely. The retrieval of certificates with data minimisation from the information system as described in section 3.2 may be logged on the server systems of the FOITT for the purpose of maintaining information and service security. Technical data about the user's device, such as operating system version, app version, IP address, etc., is transmitted and stored with each retrieval.
3.4.3 Conversion into other electronic formats
The COVID certificate app offers users the option of converting the COVID-19 certificate stored in the app into certain electronic formats (e.g. PDF). To do so, the user can send the certificate to the information system for issuing COVID-19 certificates in accordance with section 3.2 using a function implemented in the app. This checks the certificate signature, converts it accordingly and then sends the certificate in the modified electronic format to the COVID Certificate app. The transmission takes place via a direct HTTPS connection to the FOITT servers and is protected by TLS encryption.
The FOITT processes the personal data from the COVID-19 certificates of the holders to the extent that is absolutely essential for the conversion and transmission of the certificate and then destroys it completely. The conversion into other electronic formats in the information system as described in section 3.2 may be logged on the server systems of the FOITT for the purpose of maintaining information and service security. Technical data about the user's device, such as operating system version, app version, IP address, etc., is transmitted and stored with each retrieval.
3.5 App for checking COVID-19 certificates
The FOITT provides a checking app that is installed on mobile phones or similar devices (e.g. tablets) and can be used to electronically check the authenticity, integrity and validity of COVID-19 certificates, including certificates with data minimisation, as well as recognised foreign certificates. No personal data is transmitted or permanently stored during the checking process.
Furthermore, the checking app is designed in accordance with the principle of data minimisation, which means that checkers receive from COVID-19 certificates only the information that is required in the context of their checking duties. In this sense, the app displays only the result of the authenticity, integrity and validity check, as well as one or more features that allow the unique attribution to the holder of the COVID-19 certificate. Specifically, this is the information concerning the holder that is contained in the certificate (full name and date of birth). This information is displayed to checkers only until they leave the corresponding view in the app (e.g. when a new COVID-19 certificate is scanned in). The information is deleted again thereafter.
No personal information from the COVID-19 certificates is transmitted by the checking app to the FOITT information systems in accordance with sections 3.1 to 3.3. Similarly, there is no local logging of the checked certificates. Retrieval for updating the list of signature certificates from the information system as described in section 3.1 and the list of revoked certificates (or their certificate identifiers) as described in section 3.3 may be logged on the server systems of the FOITT for the purpose of maintaining information and service security. Technical data about the user's device (e.g. operating system version, app version, IP address, etc.) is transmitted and stored with each retrieval. The individual validity checks carried out in the app do not trigger any server requests, as they are performed using the locally cached lists, without any personal data being transmitted.
Checkers who receive a certificate for checking may not retain it or the information read from it or use it for any purpose other than checking.
The apps and information systems operated by the FOITT are based on the COVID-19 Act, the COVID-19 Certificates Ordinance and the Epidemics Act. The information systems are used to generate, transmit and revoke COVID-19 certificates. The sole purpose of the apps and the data processing associated with them is to enable holders of COVID-19 certificates to
- store and transmit them securely (app for storing certificates),
- retrieve certificates with data minimisation if they so wish (app for storing certificates),
- convert COVID-19 certificates into other electronic formats if they so wish (app for storing certificates) and
- enable those checking COVID-19 certificates to check the certificates' authenticity, integrity and validity (checking app).
If the FOITT commissions third parties in Switzerland or abroad to process personal data, these third parties contractually undertake to comply with the requirements of the COVID-19 Act, the COVID-19 Certificates Ordinance and Swiss data protection law. The FOITT checks compliance with the requirements.
The provision of the lists from the information systems as described in sections 3.1 and 3.3 (signature certificates, revocation list) and the retrieval thereof by the apps takes place via an Amazon Web Services (AWS) content delivery network.
The FOITT periodically provides the Federal Statistical Office (FSO), in anonymised form, with the data currently available in the information systems in accordance with sections 3.1 to 3.3 for statistical evaluations. The data from these information systems may also be disclosed to the Federal Office of Public Health FOPH and the competent foreign body in completely anonymised form for statistical purposes.
The apps use interfaces to the operating system of the user's mobile phone. The operating system functions used via the interfaces must meet the requirements of the COVID-19 Certificates Ordinance; this does not apply to the rule concerning the source code under Article 28 paragraph 2 letter c and Article 29 paragraph 2 letter e.
The FOITT may not retain the personal data of holders of COVID-19 certificates transmitted to the information systems within the framework of certificate creation for longer than is necessary for certificate creation, signing and transmission, as well as revocation.
The personal data of issuers which the FOITT processes for the purpose of permission administration and management is retained for as long as is absolutely necessary for the issuance and any revocation of certificates.
The logged data on information system authentication and the issuance of certificates as described in section 3.2 and the logs concerning the retrieval of the updated lists of signature certificates, revoked COVID-19 certificates, the retrieval of certificates with data minimisation and conversion into other electronic formats in accordance with sections 3.4 and 3.5 are retained for a maximum of two years in accordance with the requirements of the Ordinance of 19 October 2016 on Federal Identity Management Systems and Directory Services (IAMO) and the Ordinance of 22 February 2012 on the Processing of Personal Data Arising from the Use of the Federal Electronic Infrastructure.
In order to protect the data against unauthorised access, loss and misuse, the FOITT takes appropriate security measures of both a technical (e.g. encryption, logging, access controls and restrictions, backups, IT and network security solutions, etc.) and organisational nature (e.g. instructions for employees, confidentiality agreements, reviews, etc.) in accordance with the requirements of the Federal Administration and Swiss data protection legislation.
Persons whose data is processed with the aforementioned apps and information systems have the right to information, rectification, erasure and surrender of their data. Moreover, they have the right to restrict and object to data processing. They additionally have the right to revoke consent, without this affecting the lawfulness of the data processing carried out up to the time of revocation. These rights apply only insofar as personal data is concerned. However, this is prevented to the greatest extent possible by the privacy by design principle underlying the apps, which are designed with digital signatures and decentralised data storage to ensure that as little information as possible is available on specific or identifiable persons (personal data). For this reason, the FOITT is unable to provide information about the personal certificate contents present in the apps, for example, or to correct this data. The FOITT cannot view this data, as it is stored solely on mobile phones, and only in the case of the app for storing certificates.
The exercise of these rights requires that the persons concerned provide clear evidence of their identity (e.g. by means of a copy of an identity document). To assert their rights, they can contact the FOITT at the address given in section 1.
In the event of violations of data protection law, the persons concerned may contact the competent data protection authority or take legal action in accordance with the data protection legislation.
The source code and technical specifications for the apps provided by the FOITT for storing and checking COVID-19 certificates will be published.
This privacy statement may be amended by the FOITT at any time without prior notice. The current published version or the version valid for the period in question shall apply. This privacy statement has been drawn up in several languages. In the event of any discrepancies, the German version will prevail. In the event of an update, the certificate issuers and the users of the apps will be informed of the change in an appropriate manner.
1.2 The app of the Federal Office of Information Technology, Systems and Telecommunication (FOITT) is based on the COVID-19 Act of 25 September 2020 (SR 818.102) and the COVID-19 Certificates Ordinance of 4 June 2021 (SR 818.102.2).
1.3 The purpose of the app is to enable users to check the authenticity, integrity and validity of COVID-19 certificates, including certificates with data minimisation ("light certificates"), as well as recognised foreign certificates (hereinafter collectively referred to as "COVID-19 certificates").
2.1 The installation of the app on the mobile phone and its use are voluntary for users.
2.2 Use of the app is not restricted to a geographical region. However, the check result generated by the app, i.e. the validity of COVID-19 certificates, refers only to the rules applicable in Switzerland.
2.3 By accessing the app, the user declares that he or she has understood and acknowledges the following conditions and legal information in connection with the app (and the elements contained therein). Users who do not agree to these conditions must refrain from using the app.
3.1 With the app, users can check the authenticity, integrity and validity of a COVID-19 certificate, as well as whether it has been revoked in Switzerland.
3.2 The camera must be activated to scan COVID-19 certificates displayed on mobile devices or on paper.
3.3 The app performs the following functions by means of an interface to the operating system of the user's mobile phone:
- COVID-19 certificates (QR code) can be scanned with the camera, thereby checking the authenticity, integrity and validity, as well as the revocation status of the scanned certificates in accordance with the Swiss rules. This requires synchronisation or retrieval of the signature certificate and revocation lists, as well as the Swiss verification rules from the FOITT systems via the internet.
- After these lists have been successfully synchronised, the app can continue to be used for checking offline (without an internet connection) for 48 hours.
- When checking a COVID-19 certificate, the following information is displayed to the user after the scanning process: full name and date of birth of the holder of the COVID-19 certificate, as well as the result of the check (valid/invalid). If the check reveals that the scanned certificate is invalid, the reasons why it is invalid are also displayed.
3.4 The app does not use location tracking or geopositioning.
3.5 The app cannot make any medical assessment, order any measures (e.g. quarantine) or issue any instructions.
4.1 Users are responsible for technical access to the app.
4.2 Users are obliged to take the necessary security precautions for their own devices in order to protect scanned COVID-19 certificates against unauthorised access by third parties and against malware.
Users' attention is hereby drawn to possible security risks arising from the use of the internet and internet technologies.
4.3 Users are obliged to keep the app up to date and to apply updates. There is no requirement to use a specific software version.
5.1 Although the FOITT takes all reasonable care to ensure that the information, content and notifications published in the app are correct, no warranty can be given with regard to their correctness, accuracy, timeliness, reliability and completeness.
The FOITT expressly reserves the right, without prior notice and at any time, to change or delete some or all of the information and content, or to temporarily not publish it.
5.2 Any liability claims against the FOITT for material or immaterial damages, including consequential damages, which may arise from access to, use or non-use of the app and its information, content and notifications, from misuse of the connection, from technical faults or from the breach of the users' duties of care, for example, are excluded to the extent permitted by law.
The user shall be responsible for and assume the risk of any action or conduct based on the information, content and notifications of the app. The FOITT accepts no liability whatsoever for any resulting damage.
5.3 Liability for associates and third parties is excluded to the extent permitted by law.
5.4 The FOITT assumes no responsibility and gives no guarantee that the functions and use of the app will be available continuously and uninterruptedly, that they will be free of errors and malfunctions or that errors will be rectified or that the servers are free of viruses or other harmful components.
The FOITT may interrupt or discontinue the use of the app at any time.
5.5 The FOITT is not responsible for references and links to third-party websites. The FOITT accepts no liability for the existence, content or accuracy of this information. Users who access and/or use such websites do so at their own risk. The FOITT explicitly declares that it has no influence whatsoever on the design, content or offerings of linked sites. The relevant third party is entirely responsible for the information and services of linked third-party websites.
Any responsibility in respect of such websites is declined.
6.1 Under Article 13 of the Swiss Constitution and the federal data protection provisions, all persons are entitled to have their individual privacy preserved and to be protected against the misuse of their personal data. The FOITT complies with these provisions. Personal data is treated as strictly confidential.
6.2 In close cooperation with its service providers, the FOITT endeavours to protect data insofar as possible from unauthorised access, loss, misuse or falsification.
6.3 The processing of personal data by the FOITT is governed by the privacy statement of the app.
7.1 Use of the app may be terminated by the user at any time by deleting/uninstalling the app on the mobile phone.
7.2 At the latest when the ordinance mentioned in section 1.2 ceases to apply, the FOITT will deactivate the app and request that users uninstall it on their mobile phones.
8.1 Copyright is held by the Swiss Confederation, represented by the Federal Office of Information Technology, Systems and Telecommunication FOITT.
8.2 The content published by the FOITT in the app is for personal use only. Any further reproduction or transmission of the content to third parties is not permitted. Downloading or copying content, illustrations, photos or any other data does not entail any transfer of rights concerning the content.
Copyright and all other rights to content, illustrations, photos or other data on this app belong exclusively to the FOITT or to any specifically named right holders. The reproduction of any components requires the prior written consent of the copyright holder.
9.1 These provisions have been drawn up in several languages. In the event of any discrepancies, the German version will prevail.
9.2 Use of the app is free of charge for users. Any costs for network access in order to use the app are borne by the user.
9.5 Swiss law is applicable, unless mandatory provisions state otherwise. The exclusive place of jurisdiction for all disputes is the competent Swiss court.