Digital Covid Pass PRIVACY POLICY

This document provides information on how YOUR PASS, s.r.o., based at Prague 4 - Chodov, Türkova 2319/5b, the City of Prague district, postcode 149 00, Company ID: 24809888, file reference: C 176332 maintained by the Municipal Court in Prague (“Yourpass“ or “we”) maintains your privacy when you use the Digital Covid Pass (“Service”). 

Who is responsible for data processing and whom you can contact. The primary person responsible for processing Your personal data is Yourpass. You can contact us anytime at [support@yourpass.eu]. We will respond to your query as soon as practically possible but always in the statutory required time period.

 

The data collected by the Service. The Service collects several categories of data as further described below in this document. Based on your use of the Service when you use it do display virtual card in .pkpass format, we are technically capable of connecting the data collected by the Service with personal data provided to us by you We are not merging data collected for different purposes nor share the data collected by the Service with anyone for the purposes not described in this document.

Legal basis of processing. Yourpass processes personal data in accordance with the provisions of the European General Data Protection Regulation (“GDPR”) and the Czech Act No.110/2019 Coll., Personal Data Processing Act, and any other data privacy legislations as may be applicable. For individuals from the European Economic Area (“EEA”), the requirements of the GDPR shall apply. Yourpass, as the controller, collects and processes your personal data only where it has a legal basis for doing so under the GDPR. Yourpass collects and processes your personal information where:

  • It satisfies a legitimate interest which is not overridden by your data protection interests or your fundamental rights and freedoms;

  • It is necessary to enable use of the application and protect the security of the application and connected services;

  • You provide your consent for a specific purpose; or

  • It is necessary to comply with a legal obligation.

Personal Data Collected Based on Consent

The Service collect this information from the provided QR code:

  • Name and surname

  • Date of Birth

  • Country 

  • Details about the vaccination for Covid -19, Covid -19 infection suffered in the past or Covid -19 test result, as the case may be.

 

Sensitive Personal Data Collected Based on Consent. We ask your consent to process the sensitive personal data, meaning the information specifically included in the Certificate of vaccination for Covid-19, in the Medical certificate on the Covid-19 infection or in the Certificate of testing for Covid-19.

Sensitive personal data are defined in the Article 9 of GDPR and the Czech Act No 110/2019 Sb. Personal Data Processing Act. The Article 9 of GDPR applies also to data concerning health. We process these data in accordance with Article 9 of GDPR and the Czech Act No 110/2019 Sb. Personal Data Processing Act.

 

Personal Data Collected for Legitimate Business Interest. We use the personal data collected by the Service for legitimate business purposes, including in order to: (i) help us improve the Service and develop new version of the Service (ii) comply with any applicable law, court order, other judicial process, or the requirements of a regulator (iii) protect the rights, property or safety of us or third parties, (iv) to detect, prevent, mitigate and investigate fraud or illegal activities and monitor suspicious activity, and (v) as otherwise required or permitted by law.

What data protection rights do you have. Regardless of other rights you might have under the laws of your country, according to the GDPR and the Personal Data Processing Act you have: (i) right to information under Article 15 GDPR; (ii) right to rectification according to Article 16 GDP; (iii) right to deletion according to Article 17 GDPR; (iv) right to restriction of processing according to Article 18 GDPR; (v) right to object from Article 21 GDPR; as well as (vi) right to data portability from Article 20 GDPR. In addition, there is a right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR).

Children’s Privacy. The Service is not intended to be used by persons less than 13 years of age. We do not knowingly collect or process personal data of children, and we do not knowingly market the application to children. If you are under 13 years of age, do not use the Service.

What categories of data Service collects and how we use them (Purpose of processing). Depending on how you use the Service, several categories of personal data may be collected and processed for the following purposes:

-        General use of the application: 

o    Image data obtained from uploaded PDF or your device’s camera to digitize your certificate

o    Details about the vaccination for Covid -19, Covid -19 infection suffered in the past or Covid -19 test result

-        Analytics and crash reporting:

o    Service data: information relating to how the Service functions, crash reporting

o    Device data: information provided by internet browser (HTTP headers)

o    Usage data: your behavioral actions within the application’s interface

How long will your personal data be processed. Yourpass processes and stores your personal data as long as it is necessary for the respective purpose. If the data are no longer required, they will be deleted regularly, unless their - temporary - further processing is necessary for purposes and within the scope of the statutory requirements.

 

Location of processing and transfer of your personal data. Your personal data will be transferred to and hosted on servers [within the European Economic Area]. Transfer of your personal data (for example when our 3rd party service providers need to access the data) will only happen to a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with GDPR or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

3rd party Services. When processing your personal data, Yourpass shares data collected by application with following 3rd  parties (sub-processors):

-        Google. We use Google Analytics Service for web analytics

-        Amazon Web Services for infrastructure provisioning

Confidentiality of processing.  Yourpass maintains a strict confidentiality about your personal data and processes your personal data on the need-to-know basis and in the minimum extent required for the purposes outlined above. The same applies for 3rd party services used by Yourpass. 

Security. We have reasonable technical and organizational measures in place to protect against unauthorized or unlawful processing and against the accidental loss, destruction or damage of the information under our control. Data collected by the application are protected by physical, electronic and organizational procedures, including secure sockets layer (SSL) encryption technology. However, no data transmission over the Internet can be guaranteed as 100% secure or error free. 

Changes to this Privacy Policy. Please check this document on a regular basis to inform yourself of any changes. Business needs and information technology are constantly changing and we may, from time to time, make changes to the way we collect and process information. Revised policy will be effective on the date of effectivity as stated below.

Effective Date: 21.06.2021