What can(’t) companies do with the EU vaccine certificates?

What can(’t) companies do with the EU vaccine certificates?

To fight the COVID-19 pandemic, the EU Commission is setting up a vaccine passport system (“Digital Green Certificate”) to allow European citizens to travel easily and safely within the EU this summer. But could this certificate also be used by companies for other purposes, such as to authorise or prohibit access to (private) places depending on citizens’ vaccination status?

First, what exactly is this certificate?

The EU Commission has published a proposed Regulation  detailing the usage and working of these certificates. In essence, three types of certificate will exist: (i) one for vaccinated citizens (the vaccination certificate); (ii) one for the healed citizens as they have antibodies to COVID-19 (the certificate of recovery); and (iii) one for citizens who have recently tested negative (the test certificate).

Such certificates will contain various personal data, which will vary slightly according to the type of certificate, e.g. the vaccine certificate will indicate the identification of the data subject, which vaccine was given, when, in which EU country, etc.

The certificates’ goal is to organise a unified system in which all EU countries accept the same documents. This will enable EU citizens to travel under the same requirements to all EU countries, on the condition that they have such a certificate. To avoid any misunderstanding: the proposed Regulation is not intended to oblige every EU traveler to be vaccinated. It is more a question of minimum harmonisation: EU Member States must accept into their territory anyone in possession of such a (valid) certificate. The Member States can of course still accept travelers (or nationals returning from travel) into their territory by imposing other (additional) measures, such as a quarantine period.

The certificates include a Quick Response code (QR-code) containing the citizen’s personal data. The data itself is processed by the competent authorities of the State of destination, or by the cross-border passenger transport services operators required to implement certain public health measures in the fight against COVID-19. This processing is strictly limited to verifying the holder’s status. The personal data is not to be retained.

What about non-passenger transport services, can other providers request data subjects to provide such a certificate to enter their premises or activities?

A short answer to this question is: not currently. And here is why.

The proposed Regulation only regulates the use of the certificates for cross-border travel within the EU. It is not forbidden for a Member State to use the certificates for other purposes, but such other usage should then be regulated by national law. This has also been emphasized by the EU data protection authorities in a recent opinion.

This opinion confirms the Belgian Data Protection Authority’s (DPA) existing position. The DPA has already issued various opinions and advice regarding the processing of health data in the fight against the COVID-19 pandemic. In all its advice, the DPA has interpreted strictly the GDPR requirement for the processing of personal data and has reaffirmed the general prohibition of the processing of health data. Only if free consent is given or when permitted by law can such data be legally processed.

So in the example of a festival organiser requiring proof of vaccination before entry to the festival, such a practice does not seem to be allowed by the current state of legislation, as:

  1. Consent is not possible if access to the festival is denied to persons who are not vaccinated. Such consent is not considered to be “freely given”. A “free” consent could only be given if there were no negative consequences attached to giving (or withholding) the consent. This could be, for example, if a person can optionally indicate whether he or she has been vaccinated so that the organiser could collect statistical data on this fact. However, in such a case, the vaccination card will not be able to count as a “condition of entry”.
  2. There is no (general) legal provision allowing such processing. Hence, the processing of someone’s certificate for purposes other than the one provided in the proposed Regulation would seem to be illicit.

So, what does this mean?

As from the third day after publication of the proposed Regulation, the vaccine certificate can be used for cross-border passenger transport. For all other purposes, we must wait for the action of the Belgian legislator.

If you have any questions about the conditions under which you can process such personal data, please do not hesitate to contact us at the following e-mail addresses: and


Jan Clinck


Anne-Sophie Raxhon


Want to stay tuned?

Subscribe here

follow us on