COVID certificate: Management of personal data

The following information is intended to comply with the EU’s General Data Protection Regulation (GDPR) by informing you about how the e-Health Agency, as data controller, manages your personal data when you apply to receive a COVID certificate, as well as regarding what rights you have.  

The COVID certificate is intended to simplify travel within Europe during the COVID-19 pandemic. It is issued in the same form within the EU, Norway, Iceland, and Lichtenstein. The COVID certificate is issue by the e-Health Agency. With a COVID certificate, you can:     

  • Certify vaccination for travel purposes (vaccination certificate)
  • Certify a negative COVID-19 test for travel purposes (test certificate)
  • Certify recovery from a COVID-19 infection for travel purposes (certificate of recovery)

How do the different certificates work?

Vaccination certificate for travel purposes

You can log in to the web service www.covidbevis.se to obtain your vaccination certificate. To use the web service, you need a Swedish national registration number and Swedish e-Identification, as well as to be 16 years of age or older. Upon your request and agreement, the e-Health Agency retrieves information regarding your vaccination status from the Public Health Agency’s national vaccine registry.

If you are unable to use e-Identification, you can also order a COVID certificate from the e-Health Agency by printing out and completing a form, and mailing it by post to the e-Health Agency at the below address.

E-hälsomyndigheten

Box 913

391 29 Kalmar

Your test certificate will be sent by post to your home address as recorded in the national population registry.

Certificate of recovery for travel purposes

No sooner than eleven (11) days after receiving a positive result from a medical provider, you can request that your tests results be reported to the e-Health Agency to create your certificate. Test result data, including your name, national registration number, date of birth, and address, are sent to the e-Health Agency who issues the COVID certificate.

If you have a digital letterbox, your COVID certificate will be delivered there. If you do not have a digital letterbox, your COVID certificate will be sent by post to your home address as recorded in the national population registry.

Parents and guardians can obtain COVID certificates on behalf of their children. From the age of 16, children can also obtain their own COVID certificates.

Test certificate for travel purposes

After completing a COVID test, request that your healthcare provider send the negative test result, together with name, national registration number, date of birth, and address data, to the e-Health Agency which, from this data, generates a COVID certificate. The e-Health Agency then sends your COVID certificate to your healthcare provider who, if you have e-Identification, can deliver your COVID certificate via its web service.

If you don’t have e-Identification, or if you do not wish to use your healthcare provider’s web service, you can receive a paper-form COVID certificate upon presenting proper identification to your healthcare provider.

How do we manage your personal data?

Web service Covidbevis.se: vaccination certificate

When you use the e-Health Agency’s web service to obtain your vaccination certificate, your national registration number, IP address, and your completed certificate are saved by the Agency. Your national registration number and IP address are saved to document that the Agency has completed a secure identification of the individual applying for a COVID certificate, that is, you. Your national registration number is also used to ensure that you receive the correct certificate when you use the web service. 

In order to generate your certificate, information from your most recent vaccination (data, vaccine, and dosage) is retrieved from the Public Health Agency, as are your name and birth date, from the Swedish Tax Agency’s national population registry. The completed certificate is saved by the Agency in compliance with provisions regulating the management of public records in cap. 2 1949 Freedom of the Press Act (1949:105) and Arkivlagen (1990:782).

 

We also use your personal data to generate statistics regarding the use of our web services, for example, to consider how our service is used, and to plan and track service usage. For such statistical purposes, however, data is only used in the aggregate form, or in another form in which you are not individually identifiable. We save your personal data only so long as is required to satisfy these purposes, or to meet legal requirements. 

The legal basis of our personal data policy is that our use of such data is necessary to complete our legal obligations, and on the importance of secure identification. Support for our personal data policy is found in EU Parliament and Council regulation (EU) 2021/953, and in the complementary Swedish regulation (2021:708) concerning digital COVID certificates.

Partners who need access to personal data may be granted such access.

Ordering a COVID certificate by post

When you send a paper-form vaccination certificate request by mail to the e-Health Agency, that form is saved, along with the certificate thus created. This is done in accordance with provisions regulating the management of public records in cap. 2 1949 Freedom of the Press Act (1949:105) and Arkivlagen (1990:782). The information provided on your form constitutes the basis for the issuance of your COVID vaccination certificate. To generate that certificate, information from your most recent vaccination (data, vaccine, and dosage) is retrieved from the Public Health Agency, as are your name and birth date, from the Swedish Tax Agency’s national population registry

We also use your personal data to generate statistics regarding COVID certificates. For such statistical purposes, however, data is only used in the aggregate form, or in another form in which you are not individually identifiable. We save your personal data only so long as is required to satisfy these purposes, or to meet legal requirements. 

The legal basis of our personal data policy is that our use of such data is necessary to complete our legal obligations, and on the importance of secure identification. Support for our personal data policy is found in EU Parliament and Council regulation (EU) 2021/953, and in the complementary Swedish regulation (2021:708) concerning digital COVID certificates.

Partners who need access to personal data may be granted such access.

Regarding COVID test certificates

When you request a COVID test certificate from a healthcare provider, your national registration number and your completed certificate, as well as the date, time, and type data regarding your test, and its results, are saved by the Agency. This is done in accordance with provisions regulating the management of public records in cap. 2 1949 Freedom of the Press Act (1949:105) and Arkivlagen (1990:782). The information provided on your form constitute the basis for the issuance of your COVID vaccination certificate. To generate that certificate, information from your most recent vaccination (data, vaccine, and dosage) is retrieved from the Public Health Agency, as are your name and birth date, from the Swedish Tax Agency’s national population registry

We also use your personal data to generate statistics. For such statistical purposes, however, data is only used in the aggregate form, or in another form in which you are not individually identifiable. We save your personal data only so long as is required to satisfy these purposes, or to meet legal requirements. 

 

The legal basis of our personal data policy is that our use of such data is necessary to complete our legal obligations, and on the importance of secure identification. Support for our personal data policy is found in EU Parliament and Council regulation (EU) 2021/953, and in the complementary Swedish regulation (2021:708) concerning digital COVID certificates.

Partners who need access to personal data may be granted such access. The healthcare provider constitutes the Agency’s data-control assistant upon delivery of the COVID certificate.

Regarding COVID certificate of recovery

When you request a COVID certificate of recovery from a medical provider, your national registration number and your completed certificate, as well as the date, time, and type data regarding your test, and its results, and its period of validity, are saved by the Agency. This is done in accordance with provisions regulating the management of public records in cap. 2 1949 Freedom of the Press Act (1949:105) and Arkivlagen (1990:782). The information provided on your form constitute the basis for the issuance of your COVID vaccination certificate. To generate that certificate, information from your most recent vaccination (data, vaccine, and dosage) is retrieved from the Public Health Agency, as are your name and birth date, from the Swedish Tax Agency’s national population registry

We also use your personal data to generate statistics. For such statistical purposes, however, data is only used in the aggregate form, or in another form in which you are not individually identifiable. We save your personal data only so long as is required to satisfy these purposes, or to meet legal requirements. 

 

The legal basis of our personal data policy is that our use of such data is necessary to complete our legal obligations, and on the importance of secure identification. Support for our personal data policy is found in EU Parliament and Council regulation (EU) 2021/953, and in the complementary Swedish regulation (2021:708) concerning digital COVID certificates.

Partners who need access to personal data may be granted such access. The medical provider constitutes the Agency’s data-control assistant upon delivery of the COVID certificate.

What rights do I have?

You have the right to receive information regarding and access to your personal data within the e-Health Agency at no cost. You also have the right to a copy of such information.

Upon your request or our own initiative, the e-Health Agency will correct or remove information that is incorrect, or restrict access to such information. You have the right to object to our handling of your data. You also have the right, in certain cases, to receive your data in machine-readable form, or, if technically possible, to have data delivered to a third party chosen by you.

If you are dissatisfied with the management of your data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection, the supervisory authority for personal data in Sweden.

 

You may also lodge a complaint with the supervisory authority in your country of residence or workplace. You are entitled to compensation in the event that your data is managed in a manner prohibited by law.

With questions or concerns regarding the COVID certificate, or about how the e-Health Agency manages your personal data, contact the e-Health Agency by phone: 010-458 62 00 (Mon–Fri: 8 a.m.–5 p.m.), or via e-mail: covidbevis@ehalsomyndigheten.se.

You can also contact the e-Health Agency’s data protection representative at: dataskyddsombud@ehalsomyndigheten.se or by post at:

E-hälsomyndigheten, dataskyddsombud

Box 913

391 29 Kalmar

Confidentiality

In addition to information regarding the e-Health Agency’s handling of your personal data, the Agency is also obligated to provide information regarding the confidentiality requirements under which such information falls. This information is provided in compliance with the Swedish  regulation (2021:708) concerning digital COVID certificates. This regulation complements the EU Parliament and Council regulation (EU) 2021/953.

The e-Health Agency retrieves vaccination information from the Public Health Agency’s national vaccination registry. This is done in order to enable the e-Health Agency to provide your vaccination certificate.

Information in the national vaccination registry is subject to confidentiality requirements as outlined in 24 cap. 8 § Public Access to Information and Secrecy Act (2009:400). This confidentiality requirement is quite strong. When you request and agree to receive a vaccination certificate, you suspend this confidentiality, enabling the e-Health Agency to retrieve information about your vaccination, and generate a vaccination certificate for you. Information managed by the e-Health Agency falls under the auspices of confidentiality, per 25 cap. 17 § Public Access to Information and Secrecy Act.