The Latvian data protection authority issues the opinion on provision of service of printing QR codes on plastic cards

This digital certificate which contains a QR code is often used in order to attend cultural events, restaurants, sport venues and other places where only persons with digital certificates can gather, without observing the two meter distance and wearing masks. It has come to the attention of the Latvian Data State Inspectorate (the Inspectorate) that some companies offer a service of printing QR codes on plastic cards. Although the digital certificate can be printed out on a paper or stored in a cell phone, having the code on the plastic card is apparently an easy way to carry it around.

The Inspectorate notes that passing of the information to a service provider for having it printed on the plastic card is considered data processing. The basis of such processing is Article 6 (1) b), i.e. processing is necessary in order to perform a contract or to take steps at the request of the data subject prior to entering into a contract. However, the QR code is consider the information on person’s health which is a special category of personal data under the GDPR, thus processing of such data is allowed only if there is a special basis in line with the GDPR. The Inspectorate considers that the service provider can process such information only if it has obtained a consent from the data subject (Article 9 (2) a) of the GDPR). In addition, the service provider is obliged to comply with the information obligation.

The Inspectorate states that, when the service has been already provided (the plastic card is printed and handed over to the client), the unique QR code of the client shall be deleted from the service provider’s systems. The service provider is entitled to keep the QR code for some days (the precise amount of time shall be determined) in order to effectively respond if the client is complaining about the quality of the service. However, in the Inspectorate’s view, it is better if the client signs a confirmation that that the printed information corresponds to the submitted one. The client’s QR code shall not be kept longer than necessary, which means that it shall be deleted without unnecessary delay. 

Finally, the Inspectorate reminds that the client’s QR code as the information on person’s health shall be protected with appropriate technical and organizational measures. This means not only the security measures of information systems, but also appropriate training of the staff, staff access arrangements, sanctions in cases of infringements etc.