Processing of personal data for the covid certificate

The following information is intended to comply with the EU’s General Data Protection Regulation (GDPR) by informing you about how the Swedish eHealth Agency, as data controller, manages your personal data when you apply to receive a COVID certificate, as well as regarding what rights you have.

The covid certificate is intended to facilitate travel within Europe during the coronavirus pandemic. It is designed the same way throughout the EU, Norway, Iceland and Liechtenstein. Covid certificates are issued by the Swedish e-Health Agency. By obtaining a covid certificate, you can show that you have:

Proof of vaccination (vaccination certificate).
Proof of a negative covid test (test certificate).
Proof of recovery (recovery certificate).

How do the different certificates work?

Proof of vaccination for travel (vaccination certificate)

You log in to the e-service at www.covidbevis.se to obtain your covid certificate of vaccination. In order to use the e-service, you need to have a Swedish personal identity number, a Swedish e-identification and be over 16 years of age. After you request the certificate and provide your consent, the Swedish e-Health Agency retrieves information about your vaccination status from the National Vaccination Register maintained by the Public Health Agency of Sweden.

If you cannot use an e-identification, you can also order a covid certificate from the Swedish e-Health Agency by filling out a form. You print the form and fill it in, put it in an envelope and post it to the Swedish e-Health Agency.

E-hälsomyndigheten
Box 913
391 29 Kalmar

The agency will then send your covid certificate by post to your registered address.

Vaccination certificate for Swedish residents who have received a COVID-19 vaccine in a third country

Swedish residents who have been vaccinated in third countries (countries outside the EU/EEA) are able to receive a vaccination certificate as of 1 February 2022. The National Government Service Centre checks documentation for vaccinations received in third countries.

People who are now able to get a Swedish vaccination certificate are those who are:

Registered in Sweden.
Have a digital mailbox.

Individuals must have been vaccinated against COVID-19 with a vaccine that is approved in the EU or a vaccine that is on the WHO's Emergency Use Listing for vaccines.

Individuals must have received the final vaccination in a series in a third country. Third countries are countries outside the EU/EEA and countries where it is not possible to obtain a vaccination certificate, even though the country is linked to the EU's system for digital covid certificates.

Vaccination certificates are issued on behalf of the individual; it is the individual’s responsibility to present valid identification documents and original documents on the vaccinations he or she received.

Vaccination certificate for people who have had their vaccination registered on a reserve number

People who do not have a personal identity number, coordination number or immunity number and have had their vaccination registered on a reserve number can get a vaccination certificate by contacting the health care providers in the region where the person was vaccinated. If the doses have been given in different regions, you should contact the region where the last dose was received. Contact details for care providers can be found at 1177.se

To receive a vaccination certificate, you must have been vaccinated against COVID-19 in Sweden and the vaccinations must be recorded at the health care centre. The vaccination doses must be registered on reserve numbers. You must specify an address where the vaccination certificate is to be sent by registered letter. You must be able to verify your identity with one of PostNord's approved forms of identification.

Printed copy of vaccination certificates at pharmacies

If you do not have and e-identification and are therefore unable to obtain a vaccination certificate yourself on a computer or a mobile, you can contact a pharmacy.

Visit one of Sweden’s approximately 1,400 pharmacies.

To get a vaccination certificate at a pharmacy, you must:

Be vaccinated in Sweden and it must have been at least seven days since your last dose.
Have no e-identification.
Be able to verify your identity with an approved form of identification: ID card issued by the Swedish Tax Agency; Swedish passport with burgundy cover; Swedish national ID card; Swedish driver's license; Swedish SIS-marked ID card issued by, for example, a bank, company, authority or Swedish cashier service; or a Swedish service card (not SIS marked) issued by a government authority.
Have a Swedish personal identity number.

Proof of recovery for travel (recovery certificate)

No sooner than eleven (11) days after a positive test result with a health care provider, you can request that the health care provider report information about the test result to the Swedish e-Health Agency to create a certificate for you. The test result is sent together with information about your name, personal identity number/birth date and address information to the Swedish e-Health Agency, which issues your covid certificate.

If you have access to a digital mailbox, the covid certificate will be sent there. If you do not have a digital mailbox, the Swedish e-Health Agency will send the covid certificate to your registered address.

As a guardian, you can obtain a covid certificate for your child. Children can obtain a covid certificate themselves from the time they reach 16 years of age.

Evidence of a negative test result for travel (test certificate)

After completing a test with a health care provider, you request that the health care provider send the negative test result together with information about your name and personal identity number/birth date to the Swedish e-Health Agency, which creates a covid certificate based on the information it has received. The Swedish e-Health Agency will then send the covid certificate back to health care providers who can send it to you through their e-service if you have e-identification. If you have access to a digital mailbox, the covid certificate will also be sent there.

If you do not have an e-identification or do not want to use the health care provider's e-service, you can instead have the covid certificate issued directly as a paper copy after you have verified your identity with the health care provider.

How do we process your personal data?

In the e-service Covidbevis.se – vaccination certificate

When you use the Swedish e-Health Agency's e-service to obtain your vaccination certificate, your personal identity number, your IP address and your created certificate are saved by the agency. Your personal identity number and your IP address are saved to document that the agency has securely verified the identity of those applying for a covid certificate. Your personal identity number is also used to ensure that you receive the correct certificate when using the e-service.

To create the certificate, information about your last vaccination (date, vaccine and dose) is obtained from the Public Health Agency of Sweden and your name and date of birth are obtained from the population register maintained by the Swedish Tax Agency. The certificate that is created is kept by the agency in accordance with the regulations on handling public documents in ch. 2. of the Freedom of the Press Act (1949:105) and the Archives Act (1990:782).

We also use your personal data to generate statistics on the use of the service, for example, to see how people use the service and to plan and follow up on the use of the service. However, when data is used for these purposes, the data is only processed in aggregated form or in a form that cannot identify you as an individual. We save your personal data for as long as we need the data to carry out the purpose of processing, or as long as required by law.

Our legal basis for processing personal data is that the processing is necessary to fulfil a legal obligation and the importance of secure identity verification. Support for personal data processing can be found in Regulation (EU) 2021/953 of the European Parliament and of the Council, and in the Swedish Ordinance regarding digital covid certificates (2021:708).
Employees who need to process the data in order to perform their duties can access your personal data.

Using a form to order a vaccination certificate

When you submit a form to the Swedish e-Health Agency with a request to order a covid certificate, the form and the certificate that is created are saved. This is done in accordance with the regulations on handling public documents in ch. 2. of the Freedom of the Press Act (1949:105) and the Archives Act (1990:782). The information you provide on the form is the basis for issuing your covid certificate of vaccination. To create the certificate, information about your last vaccination (date, vaccine and dose) is obtained from the Public Health Agency of Sweden and your name, date of birth and registered address are obtained from the population register maintained by the Swedish Tax Agency.

We also use your personal data to produce statistics on orders for covid certificates. However, when data is used for these purposes, the data is only processed in aggregated form or in a form that cannot identify you as an individual. We save your personal data for as long as we need the data to carry out the purpose of processing, or as long as required by law.

Our legal basis for processing personal data is that the processing is necessary to fulfil a legal obligation. Support for personal data processing can be found in Regulation (EU) 2021/953 of the European Parliament and of the Council, and in the Swedish Ordinance regarding digital covid certificates (2021:708).
Employees who need to process the data in order to perform their duties can access your personal data.

Vaccination certificate for Swedes who have received a COVID-19 vaccine in a third country

When you apply for a vaccination certificate with the Swedish e-Health Agency, your personal identity number, your documentation that forms the basis for creating a vaccination certificate and the certificate we create are saved by the agency. Your personal identity number is saved to document that the agency has securely verified the identity of those applying for a covid certificate. Your personal identity number is also used to ensure that you receive a certificate with the correct information. To create the certificate, information about your name and date of birth is retrieved from the population register maintained by the Swedish Tax Agency. The certificate that is created and the information that serves as the basis for the certificate are kept by the agency in accordance with the regulations on handling public documents in ch. 2. of the Freedom of the Press Act (1949:105) and the Archives Act (1990:782). We also use your personal data to produce statistics on covid certificates. The data is only processed in aggregated form or in a form that cannot identify you as an individual.

We save your personal data for as long as we need the data to carry out the purpose of processing, or as long as required by law. Our legal basis for processing personal data is that the processing is necessary to fulfil a legal obligation and the importance of secure identity verification. Support for personal data processing can be found in Regulation (EU) 2021/953 of the European Parliament and of the Council, and in the Swedish Ordinance regarding digital covid certificates (2021:708).

Employees at the Swedish e-Health Agency who need to process the data in order to perform their duties can access your personal data. Employees at the National Government Service Centre access personal data in the documents you submit to create the vaccination certificate.

Vaccination certificate for people who have had their vaccination registered on a reserve number

When you request a vaccination certificate from a health care provider, your personal data (date of birth and full name), the reserve number with which the vaccination has been recorded at the health care provider, and your created certificate are saved. Your data is saved to document that the agency has securely verified your identity and to be able to issue a certificate with the correct information. In order to be able to send the certificate to you, we also save the address and the contact details you provide for the health care provider.

The certificate is kept by the agency in accordance with the regulations on handling public documents in ch. 2. of the Freedom of the Press Act (1949:105) and the Archives Act (1990:782). We also use your personal data to produce statistics. However, when data is used for these purposes, the data is only processed in aggregated form or in a form that cannot identify you as an individual. We save your personal data for as long as we need the data to carry out the purpose of processing, or as long as required by law.

Employees who need to process the data in order to perform their duties can access your personal data. The healthcare provider is the personal data controller for the personal data processing that the healthcare provider carries out in connection with vaccinations, sample collection and test results, as well as the personal data processing that takes place when reporting information to the Swedish E-health Agency.

Printed copy of vaccination certificates at pharmacies

The Swedish e-Health Agency is the personal data controller for the personal data that is processed when a vaccination certificate is issued. When you use the Swedish e-Health Agency's service to obtain your vaccination certificate, your personal identity number, address and your certificate are saved by the agency. Your personal identity number is saved to document that the agency has securely verified your identity. Your personal identity number is also used to ensure that you receive a certificate with the correct information.

To create the certificate, information about your last vaccination (date, vaccine and dose) is obtained from the Public Health Agency of Sweden and your name and date of birth are obtained from the population register maintained by the Swedish Tax Agency.

The certificate is kept by the Swedish e-Health Agency in accordance with the regulations on handling public documents in ch. 2. of the Freedom of the Press Act (1949:105) and the Archives Act (1990:782). If you have a digital mailbox, your test certificate will be sent there.

We also use your personal data to produce statistics on covid certificates. The data is only processed in aggregated form or in a form that cannot identify you as an individual. We save your personal data for as long as we need the data to carry out the purpose of processing, or as long as required by law.

Our legal basis for processing personal data is that the processing is necessary to fulfil a legal obligation and the importance of secure identity verification. Support for data processing can be found in Regulation (EU) 2021/953 of the European Parliament and of the Council and in the Swedish Ordinance regarding digital covid certificates (2021:708).

Employees at the Swedish e-Health Agency who need to process the data in order to perform their duties can access your personal data. Pharmacy staff can access the information in connection with providing your vaccination certificate.

For covid test certificates

When you request a covid test certificate from a health care provider, your personal identity number and your created certificate with information about the type of test, time of test and test results are saved by the agency. The certificate is kept by the agency in accordance with the regulations on handling public documents in ch. 2. of the Freedom of the Press Act (1949:105) and the Archives Act (1990:782). We also use your personal data to produce statistics. However, when data is used for these purposes, the data is only processed in aggregated form or in a form that cannot identify you as an individual. We save your personal data for as long as we need the data to carry out the purpose of processing, or as long as required by law.

For covid recovery certificates

When you request a covid recovery certificate from a health care provider, your personal identity number and your created certificate with information about the type of test, time of test, test results and the validity period of the test are saved by the agency. The certificate is kept by the agency in accordance with the regulations on handling public documents in ch. 2. of the Freedom of the Press Act (1949:105) and the Archives Act (1990:782). We also use your personal data to produce statistics. However, when data is used for these purposes, the data is only processed in aggregated form or in a form that cannot identify you as an individual. We save your personal data for as long as we need the data to carry out the purpose of processing, or as long as required by law.

Personal data processor

The Swedish e-Health Agency uses personal data processors for certain types of processing. The personal data processors who are used may only process personal data in accordance with the purposes and instructions communicated by the Swedish e-Health Agency for the processing. When personal data is processed by a personal data processor, a personal data processor agreement is always established to ensure that the data is protected.

What are my rights?

You have the right to receive, free of charge, information about and access to the personal data that the Swedish e-Health Agency processes about you. You also have the right to receive a copy of that information.

In response to your request or on our own initiative, we will correct or remove data that is incorrect or limit the processing of such data. You have the right to object to the processing of your data. In certain cases, you also have the right to receive your personal data in a machine-readable format or, if technically possible, to have the data transferred to a third party to which you refer.

If you are unsatisfied with our processing of your data, you have the right to file a complaint with the Swedish Authority for Privacy Protection, which is the supervisory authority for the processing of personal data in Sweden.

You can also contact the supervisory authority in the country where you live or work. You have the right to damages if your personal data is handled in an illegal manner.

If you have any questions about covid certificates or how the Swedish e-Health Agency processes your personal data, contact the Swedish e-Health Agency by phone at 010-458 62 00 (opening hours: excluding weekends Monday–Friday: 8.00–17.00 p.m.) or by e-mail at covidbevis@ehalsomyndigheten.se.

You can also contact the Swedish e-Health Agency's data protection officer by e-mail at dataskyddsombud@ehalsomyndigheten.se or send your questions by post to:

E-hälsomyndigheten, dataskyddsombud
Box 913
391 29 Kalmar

Information on privacy

In addition to information about how the Swedish e-Health Agency handles your personal data, the authority is also obliged to inform you about how your information is handled in relation to secrecy. We do this in accordance with the Swedish ordinance (2021:708) regarding digital covid certificates. The Regulation is a supplement to Regulation (EU) 2021/953 of the European Parliament and of the Council.

The Swedish e-Health Agency retrieves information about your vaccination status from the National Vaccination Register maintained by the Public Health Agency of Sweden. This is done so that the agency can issue you a vaccination certificate.

The information in the National Vaccination Register is subject to confidentiality in accordance with ch. 24 Section 8 of the Public Access to Information and Secrecy Act (2009:400). Secrecy is very strong. When you request a vaccination certificate and give your consent, you are consenting to waive confidentiality for that information. The Swedish e-Health Agency can then retrieve the information about your vaccination and issue you a vaccination certificate.

When the data is handled by the Swedish e-Health Agency, it is subject to secrecy in accordance with ch. 25, Section 17 a of the Public Access to Information and Secrecy Act. The same level of secrecy applies when the data is handled by the National Government Service Centre for vaccination certificates for those who have been vaccinated in a third country.

Senast uppdaterad: 27 juli 2022