Information on Personal Data Processing in the eRouška 2.0 Application (version 20210320)
Who We Are
We are the Ministry of Health of the Czech Republic (hereinafter the “Ministry”) and we operate the eRouška mobile application (hereinafter the “Application”), which helps the Ministry and other public health protection bodies deal with the COVID-19 epidemic caused by SARS-CoV-2 (hereinafter “COVID-19”). Using Bluetooth Low Energy (hereinafter “BLE”) technology, this Application records encounters with other telephones with the eRouška Application installed.
The Ministry is the personal data controller. In order to ensure the operation of the eRouška Application, we work with a technical supplier, Národní agentura pro komunikační a informační technologie, s.p. (the National Agency for Communication and Information Technologies, hereinafter “NAKIT”), as the personal data processor; its actions are under our control, and this is done under a contract and in accordance with our instructions.
The eRouška Application is an important part of the Smart Quarantine system. You can find more detailed information about the operation of the entire Smart Quarantine system here.
As a part of the cross-border exchange of information, we work with the controllers of similar applications in individual EU Member States (hereinafter “National Applications”) based on Commission Implementing Decision (EU) 2020/1023 of 15 July 2020, including Annex II added to this decision. Together with the administrators of National Applications of individual participating Member States or their relevant bodies, a list of which you can find here, we are joint administrators of the European Federation Gateway Service (hereinafter the “EFGS”), through which the National Applications exchange information.
We work with your personal data in accordance with Directive of the European Parliament and of the Council (EU) 2016/679 (hereinafter the “GDPR”) and in accordance with Act No. 110/2019 Coll., on Personal Data Processing.
How It All Works
A timely notification for persons that were exposed to a risk of a COVID-19 infection could markedly reduce the spread of this disease in the population. Warnings for potentially infected persons could markedly reduce the risk of medical complications and the spread of the disease. Most Member States have launched applications similar to the eRouška Application as one of the mechanisms of limiting the risk of spreading the infection in the wider population.
The whole system works in such a manner that, using BLE technology, eRouška detects and stores in its memory identifiers of other telephones with eRouška around it. If somebody gets sick, it is possible to easily warn others of the possible risk of infection through the application.
The exchange of information with other Member States’ National Applications is an expansion of this concept, through the EFGS this enables warnings for users of various National Applications. eRouška users can therefore be warned of encounters with infected foreigners (users of other National Applications) they encounter abroad or in the Czech Republic. It also enables infected eRouška users to warn users of other National Applications.
Why We Perform Processing and What Authorises Us to Do It
The eRouška Mobile Application helps notify users who recently came into contact with persons who have tested positive for COVID-19 and were exposed to a high risk of infection more easily, more efficiently and faster. We will not use the eRouška Application or data obtained from it for purposes other than its operation and the Application’s further development.
The exchange of information with other National Applications using the EFGS enables warnings of the risk of infection for users of National Applications of cooperating Member States – both in the case of an eRouška user travelling to another country and in the case of users of other Member States’ National Applications travelling to the Czech Republic.
How are you identified in the Application?
The eRouška Application has been developed in such a manner that it does not directly identify you and minimises the processing of the personal data of natural persons (hereinafter “Data Subjects”) to the lowest possible level.
The Application itself does not contain your personal data. The Ministry cannot identify a specific user of the application, i.e. you, in the Application’s technical solution.
The Application provides you with information that you encountered a person that tested positive for COVID-19 on a specifically determined day. This means that in certain circumstances, for example if you only met with one person that day, you will be able to guess who the infected person is. The same thing obviously works in the opposite way – another Application user could, in exceptional cases, deduce that you are the infected person. This is, however, a property of the Application that cannot be excluded, because the Application would not work properly without it and could not contribute to your greater protection from COVID-19.
The Ministry is not able to identity and is not able to ascertain who you encountered in the Application. The whole system is intentionally designed so that it completely minimises the risk of data abuse and so that everybody that contributes to the Application’s operation, including Apple and Google, only obtains the necessary amount of data.
From the viewpoint of GDPR principles, a specific person can only be identified indirectly and in very limited cases – e.g., through singling out from the controller’s viewpoint (Recital 26 of the GDPR) or in the form of the reidentification of data subjects by the addressee of a notification (this is a theoretical possibility of Data Subject reidentification making use of reasonable means for identification, in particular information about who he/she encountered at the incriminating time); these situations can only occur in the event of combining pseudonymised data in the eRouška Application, combining knowledge of the process of sharing information and the context from the viewpoint of the Application’s user (the controller should always consider the costs and time necessary for such identification, as well as the available technology at the time of processing and probable technological developments).
Legal Grounds for Processing
We process personal data pursuant to Article 6(1)(e) and Article 9(2)(i) of the GDPR, as essential to fulfil a task performed in the public interest that the controller is charged with performing in the area of public health to protect against serious cross-border health threats. In doing this, we act as a central state administration body and, the same as regional public health authorities and other public health protection bodies, we perform our tasks in accordance with Act No. 258/2000 Coll., on the Protection of Public Health, and in accordance with Act No. 372/2011 Coll., on Health Services and the Conditions of their Provision (the Healthcare Services Act).
International cooperation within the EU is based on Commission Implementing Decision (EU) 2020/1023 of 15 July 2020 and, in the event an infected person’s keys are sent to the EFGS, also based on your consent in accordance with Article 6(1)(a) and in accordance with Article 9(2)(a) of the GDPR.
The Application itself, however, is always installed with your consent, i.e. only you decide whether the Application will be installed on your phone or other device or not. By removing the Application you ensure that you will no longer contribute to the system’s operation.
Nobody, not even your employer or, for example, the owners of space that you enter should force you to install the Application.
All important steps for the use and functionality of the Application – installation/activation, sending pseudonymised information about the infection, reactions to warnings about a risky contact, sending pseudonymised information about infection to other EU Member States and accepting information about infected people from the EU – are voluntary and take place solely based on a specific action by a user.
Obviously, it still applies that the more people that install the Application and use it, the more effective the protection it provides will be.
Consent to Sending of Infected Person Keys through EFGS
In the event you test positive for COVID-19, the sending of your infected person keys, i.e. information about you testing positive for COVID-19, to users of other National Applications through the EFGS is based on independent consent in accordance with Article 6(1)(a) and in accordance with Article 9(2)(a) of the GDPR.
After data is sent about you testing positive, it is no longer possible to rescind your consent, because one-off data processing related to such consent has already commenced. Your consent is, however, just for the one time, i.e. in the event of a repeat positive test you will be asked for new consent to hand over, which again ensures your voluntariness as a part of the granting of consent.
What Data Do We Work With and What Do We Do With Them
The eRouška Application uses the Apple/Google Exposure Notification API (see Apple and Google websites) and complies with all rules published by Apple and Google for the use of this API. We also state information about the extent of data processed in the individual stages of the use of the eRouška Application.
Installation, Activation and Deactivation of eRouska Application
Installation of the Application takes place in the standard manner from the Apple App Store or Google Play Store.
The Application is activated upon the first launch after installation. Upon activation, each application is allocated and recorded on the eRouška server under an eHRID random unique identifier (instance of the Application) that serves for the purposes of the administration of installed Applications – e.g. for counting active Applications and protection against spam when collecting traffic statistics. eHRID is a pseudonymised identifier that serves only for these purposes and is not linked on the part of the eRouška server with any other identifiers of your mobile telephone or with any personal identifiers, or even, in the event of the handover of an infected person’s keys (see below), to such keys.
For ordinary operation (see below), the Application requires consent for Bluetooth to be switched on and consent for the Notification of Possible Contact or Notification of Contacts with Infection (the Czech Google and Apple names for the Exposure Notification API) to be switched on. These are functions of a telephone’s operating system and if they are not activated, the eRouška Application cannot be used. In some versions of Android, activation also requires Positioning Services to be switched on - eRouška does not use them, but with regard to the grouping of settings it is not possible to switch Bluetooth on independently without Positioning Services.
After removing the Application, when returning the telephone to its factory settings or when recovering the telephone’s state from the time before the installation of the Application, the link between the device and the eHRID identifier allocated upon activation is cancelled. If the Application is subsequently installed and activated again, a new eHRID identifier is allocated to it. All types of possible data are therefore stored only inside such a device or in the eRouška Application.
Ordinary Operation of eRouška Application
As part of its ordinary operations, every 10-20 minutes the eRouška Application generates random pseudonymised IDs (keys), which are stored and subsequently exchanged using BLE technology with other active eRouška Applications within reach of the Bluetooth signal (within a distance of a few metres). The eRouška Application does not know and does not record your position, it only records on your mobile phone keys for other eRouška Applications that it “encountered” together with information about the time, duration of contact and strength of the Bluetooth signal. The keys of the other Applications that eRouška encounters are stored for a period of 14 days, then the keys are erased.
The keys of other eRouška applications recorded during an encounter are always random and change over time, so it is not possible to retrospectively specifically ascertain who you encountered from the Application. In addition, the keys of other Applications also remain stored solely on your device; the eRouška server does not have any records (even anonymised) about what devices it was in contact with. As an Application user, you do not have access to the Application keys stored on your device.
As an Application user, you have the option of suspending the aforementioned operation of the eRouška Application. After you press the “Suspend eRouška” button on the Application’s main screen, the Application stops sending its keys and stops recording and storing other Application keys. An Application user achieves the same effect if, in his telephone’s settings, he switches off Bluetooth or Notifications of Possible Contact/Notifications of Contacts with Infection (the Exposure Notification API).
What Happens If I Am Infected
Information that you have fallen ill with COVID-19 can be provided to you solely by the public health protection authority (e.g. the public health service) or a healthcare service provider (your attending doctor or a laboratory) based on the laboratory results of a performed test. The eRouška Application does not ascertain whether you are infected and is not meant to inform you of a positive result of a laboratory test. The application’s aim is only to identify persons that were in risky contact with an infected person and to provide such persons with information about how to proceed in such a situation.
If you have undergone an examination for COVID-19 and your test was positive, one or both of the following scenarios will occur:
- After receiving a result from a laboratory, the Central Public Health Service System will automatically send you a text message with a one-time random verification code. With regard to the limited time validity of a one-time code, text messages are only sent during the daytime.
- You will be contacted by a public health service worker and, as part of an epidemiological investigation, he/she will ascertain specifying data for the evaluation of high-risk encounters, such as the infectious period (based on the time symptoms appeared) and the amount of risk (based on the intensity of symptoms and the environment in which you operate). During an epidemiological interview, the public health service worker can send a one-time random verification code by text message.
The point of this step is to authorise your eRouška Application to send the infected person’s keys to other eRouška Application users, so that they can assess whether they were in high-risk contact with you.
The verification code is generated by the eRouška server and handed over to the public health service’s information system, which arranges for it to be sent by text message. The whole process of creating and processing a verification code is designed in such a manner that the eRouška server obtains only a one-time random verification code, but no identifiers that could identify an infected person. The eRouška server therefore does not know an infected person’s identity.
The one-time verification code is valid for 12 hours. The one-time verification code is not stored in the public health service’s information system.
After receiving a verification code, use the “Send data” or “Warn others” function in the eRouška Application, which requires the verification code to be input and, after it has been input, sends data to the eRouška server. Sending your data (keys), i.e. sending information that the user of the relevant eRouška Application is infected, is voluntary on your part and is also conditional on authorisation from the public health service, so that it is not possible to send this information by mistake and it is also not possible to abuse the eRouška Application.
When sending keys, the eRouška Application only sends its own keys, i.e. keys that it “broadcast” during encounters with other Applications. This is why the keys are called an infected person’s keys. The keys of other Applications that your Application encountered are not sent.
Evaluation of High-Risk Contact
The eRouška server displays all infected person keys received for download. The keys are stored on the eRouška server for 14 days, then they are erased.
All active eRouška Applications regularly download new infected person keys and assess whether they correspond to others’ keys recorded during an encounter and whether the length of a contact and signal strength corresponds to the criteria for a high-risk contact. In the event that, based on this processing of the data, your eRouška Application assesses that there has been a high-risk contact, it creates a local warning (e.g. it displays an information window on your telephone in accordance with your telephone’s notification settings) that draws your attention to a high-risk contact and displays instructions for you about how to proceed. Everything takes place as part of the installation of the Application stored on your telephone, i.e. nobody else learns of this step.
A notification only contains information that you were probably exposed to a high-risk contact with an infected person and the day of the contact (eRouška does not have any other details or more precise information about the time or place of the contact with an infected person, and this information cannot be ascertained). The eRouška Application does not have information about who the infected person is and cannot even identify their pseudonymised keys, as they are processed in the Exposure Notification API in batches and it is not clear which specific key from a batch was assessed as a high-risk contact.
You will only receive a notification of a high-risk contact as the user of the Application in which the evaluation occurred; the eRouška server, the infected person you encountered and the public health service are not notified.
We would like to draw attention to the following: Nobody will contact you based on a notification in the eRouška Application, because nobody knows your contact details or knows that you have been assessed as having had a high-risk contact.
For the purpose of collecting aggregated statistical information about the effectiveness of the eRouška system, the Application sends anonymous statistical information to the eRouška server stating that a notification of high-risk contact has been made. This information is not linked to any user identifier or his/her mobile telephone and serves only for calculating aggregate statistics about how many notifications were generated, what the ratio of notifications to the number of infected persons was, etc. In order to confirm the authenticity of a report, the Application uses the allocated eHRID, which confirms that a report comes from an active eRouška Application, but cannot be used to identify you.
International cooperation is an extension of the concept for the functioning of eRouška. In the same way that the keys of an infected person are sent to all eRouška users for evaluation, the eRouška server sends them through the EFGS to the other National Applications, so that they can display them to their users. The same extent of data about infected persons is sent through the EFGS as is sent through the eRouška server – an infected person’s keys and the date of first symptoms (if known) – supplemented by identifiers of the country of origin and the countries of interest.
The EFGS enables National Application users, in their Application settings, to precisely determine the set of countries from which a specific user gets information about infected persons and to which he/she sends his/her data. eRouška implements a simplified model, called “EU Traveller”, in which an eRouška user chooses only “Cooperation with EU” YES/NO. The eRouška user sets the “Cooperation with EU” parameter for downloading information from other National Applications on a special page that is available from the home page and is also displayed when updating eRouška to a version supporting EU cooperation. For sending his/her own infected person keys, the eRouška user sets up the “Cooperation with EU” parameter on an additional page when sending data (“Warn others”).
International cooperation between the National Applications only works for National Applications making use of the Apple/Google Exposure Notification API and cooperating through the EFGS. A list of these and other related documents can be found at the European Commission’s website. In accordance with the terms and conditions for the use of the Exposure Notification API, there can only be one National Application in each country. The EFGS is operated by the EU and has its own GDPR documentation (EFGS Information about Personal Data Processing is annexed to this document).
In all scenarios there is an exchange of random keys during encounters between users of various National Applications automatically, based on the fact that their telephones use the same Exposure Notification API protocol. There are differences in whether and how their Applications subsequently exchange infected person keys for evaluation of the high-risk nature of encounters.
Scenarios for the use of international cooperation from the viewpoint of an eRouška user:
1) I was or am in another country and I am interested in whether I encountered an infected person there
An eRouška user that is or was in another country switches on the “Cooperation with EU” option on a special page that is available from his/her home page. In addition to a file with infected person keys from eRouška users, his/her eRouška starts to download keys of infected users of other EU National Applications that the eRouška server regularly obtains through the EFGS and to assess potential encounters with such users.
2) I was or I am in another country, I am infected, I would also like to warn foreign Application users
When sending data (“Warn others”), a user that is or was in another country switches on the “Cooperation with EU” option on an additional page as part of the process of sending data. He/she thereby gives his/her consent to the sending of his/her keys through the EFGS to National Application servers of other EU countries, which disclose his/her keys to users of their National Applications.
3) I encounter foreign tourists in the Czech Republic and I am interested in whether they are infected
This is a case symmetrical to 2) from the viewpoint of a user of another EU Member State’s National Application.
A foreign tourist with a National Application from his/her EU Member State who is confirmed to be infected chooses (in a manner specific for his/her National Application) to send the keys to all EU Member States or specifically to the Czech Republic. Through the EFGS, his/her National Application also sends his/her keys to the eRouška server, which includes them in the file of “Czech” infected people. The file is automatically downloaded by all eRouška Applications in the Czech Republic, independently of the “Cooperation with EU” settings, and they assess the riskiness of encounters.
4) A foreign tourist is or was in the Czech Republic and is interested in whether he/she encountered an infected person here
It is a case symmetrical to 1) from the viewpoint of a user of another EU Member State’s National Application.
A foreign tourist with a National Application from his/her EU Member State who is confirmed to be infected chooses (in a manner specific for his/her National Application) to download the file of infected keys from eRouška users, who gave the consent to send data to EU. The server of his/her National Application regularly obtains this file fron eRouška servers via EFGS.
Note: In all cases of sending infected keys from eRouška to EFGS, apart from the consent the user also specifies, wheter he/she was abroad within last 14 days (so called Traveller flag). Depending on the implementation scheme of EU integration in other National Applications this flag may be used to send the keys only to foreign users also marked as Travellers (use case of foreign tourists in CZ) or to all foreign users (use case of CZ tourist abroad).
In order to ensure the Application’s functionality, we will also work with data about its functioning (e.g. records of crashes of the Application and the use of the Application) on your telephone and we will use standard tools for this on your telephone (Firebase Crashlytics and Google Analytics) from Google. Data sent by the Application to these services do not contain identifiers of your person or your telephone (such as, for example, your telephone number, IMEI or AdvertisingID) and we process them for the purpose of searches and the correction of critical errors, records of updates to the Application and statistical mapping of the Application’s use by users. The Application does not know your personal data and such data can therefore not be linked to your person in any way. We work with such telemetric data for no more than 180 days.
Where We Process Your Data
We will only work with your personal data on the territory of the EU and in trustworthy third countries where Google servers are located; as a subprocessor, Google provides part of the server services for the Application’s operation through the processor. The handover to other countries is governed by standard contractual clauses, which are tools that ensure the sufficient protection of your rights in accordance with the GDPR. Your data will therefore be processed by verified and sufficiently trustworthy processors and subprocessors.
Who Has Access to Your Data
The data specified in this document are primarily stored on your telephone and only you have access to them. The Ministry, the EU, other users of the eRouška Application and users of EU Member State National Applications only have access to pseudonymised infected person keys that are sent through the eRouška server to all other users. The Ministry also has access to eHRID identifiers of the installed eRouška Applications used for statistical purposes and, in the case of technical problems, to anonymous crash logs from your Application for the purposes of correcting critical errors.
Legal regulations on personal data protection, in particular the GDPR, ensure that you have various personal data protection rights: To the extent to which they are guaranteed by regulations on personal data protection and the context of the relevant personal data processing, you can ask the Ministry, as the controller, for erasure in accordance with Article 17 of the GDPR (if the statutory conditions are met). The erasure can be technically performed by removing the eRouška Application from your telephone. Your random IDs (keys) are automatically erased after 14 days, as stated in the introduction.
Your rights related to the sending of infected person keys to users of other National Applications through the EFGS based on independent consent in accordance with Article 6(1)(a) and in accordance with Article 9(2)(a) of the GDPR are
- rights resulting from Article 15 (access to personal data);
- rights resulting from Article 16 (right to rectification);
- rights resulting from Article 17 (right to erasure);
- rights resulting from Article 18 (right to restrict processing);
- rights resulting from Article 20 (right to portability);
- rights resulting from Article 21 (right to object).
The aforementioned rights can only be exercised in the event that the data for which you exercise your rights can be clearly attributed to you. This would only be possible in the event that the Application were able to gather other personal data that would enable the data transferred to the server to be clearly attributed to you or your telephone. Because it is not necessary for the purposes of the Application’s operation, the Ministry is not obligated to gather such data, see Article 11(2) of the GDPR. The option of exercising the aforementioned rights is, however, tied to the option of identifying you. Because our application is designed in a decentralised way so that we are not able to identify you directly, and maximum use is made of pseudonymised data, we would like to point out that we will often not be able to identify you. In this context, it will not be possible to exercise the individual rights, with the exception of the right to erasure, which will always be exercised automatically if you suspend the functioning of the Application or remove the Application from your telephone.
Regarding the processing of your personal data, you can also contact our personal data protection officer: firstname.lastname@example.org.
In order to exercise any of these rights, please contact the personal data protection officer:
Ministry of Health of the Czech Republic
Personal Data Protection Officer
Palackého nám. 4
128 01 Prague 2
Company ID No.: 00024341
If you think that the processing of your personal data breaches legal regulations, you can submit a complaint to the national supervisory authority, which is the Office for Personal Data Protection.
Risks Linked to Application’s Use
The eRouška application is designed in such a manner that it completely minimises the set of data processed and the risk of their abuse. For this purpose, it has a whole number of protective and safety features, starting with the fact that the Ministry is not in any way able to specifically identify an Application user.
Nevertheless, the use of Bluetooth technology (which is, however, necessary for the functioning of the Application) entails certain risks and related conditions of operation, which are described below.
Which devices are supported for eRouška 2.0?
Previous app eRouška 1.0 required iOS version 11 (and higher) or Android OS version 5 and higher to work properly.
eRouška 2.0 uses Apple/Google protocol. Therefore, it only works on devices which support this protocol, such as iPhones with iOS version 13.5 and higher, and Android devices with OS version 6.0 and higher that contain Google Play Services. iPads or some new Huawei phones without Google Play Services are not supported.
Use of internet connection
eRouška 2.0 occasionally needs internet connection (ideally, twice a day). eRouška 2.0 will connect to the internet once a day to download the latest list of identifiers of individuals with COVID-19, and to evaluate encounters with them. eRouška will also connect to the internet once a day to download information about current situation in the Czech Republic which is then displayed in the News tab. The volume of downloaded data depends on the number of app users who tested positive. For example, for 500 new cases among eRouška users, the daily volume of downloaded data would be about 300 kB. Compare that to about 5 MB needed to download a regular webpage.
Running eRouška 2.0 which requires Bluetooth results in some energy consumption. However, this energy loss is supposed to be much lower than in eRouška 1.0, reaching only several percentage points per day.