The Office for Personal Data Protection



Important links


Path: Home Page


Statement on the reservation system for COVID-19 vaccination

2. 3. 2021 – The Office for Personal Data Protection has initiated an inspection at a private supplier of the online vaccination reservation system operated through the platform This step was made on the basis of numerous complaints as well as of certain media information revealing serious concerns as to the breach of the data protection law in the course of the processing operations related to this central online reservation for the COVID-19 vaccination.

The inspection will aim at the legality of the personal data transfer (particularly the birth certificate numbers of insured persons) to the USA via cookies (ads/ga-audiences, NID, _ga, _gat, _gid, collect), the inspection will also check the safeguards surrounding this transfer as well as the compliance with the information obligation during the processing of personal data in the central reservation system for COVID-19 vaccination. Mr Jiří Kaucký, the president of the office, said: “We will check how the personal data of the Czech Republic´s citizens are treated when they register via the central reservation system for COVID-19 vaccination and whether it is in line with the General Data Protection Regulation.” 

In this context, the office received on 20 January 2021 a data breach notification from the Czech Ministry of Health and from the National Agency for Communication and Information Technologies. Reportedly, an error in the functionality of the reservation system ( operated by a private supplier should have caused that the insured person number (including the birth certificate number) was displayed and transferred to the Google Analytics system whereby it was shared with the Google corporation. Pursuant to the notification, appropriate remedial measures have already been taken. The office will put these measures to a meticulous scrutiny and will assess their sufficiency and appropriateness and order, if necessary, to the controller (the Ministry of Health) or to the processor (the system supplier) to take further steps.  

The office will also prove, if the given data processing respects the conclusions of the CJEU judgment in case C-311/18 restricting the transfer of personal data outside the European Union. 

The public will be informed about the inspection findings and the relevant office´s conclusions in due time.
Responsible: Mgr. Vojtěch Marcín
Created / changed: 2.3.2021 / 2.3.2021


Placing: Document folders > News

Mode No graphics is currently switched on. Therefore you see the web page with no decorative graphics as well as any advanced formatting. If your browser supports CSS2, you can switch a graphic mode on.

Copyright © 2013 The Office for Personal Data Protection. All rights reserved.
web & design , editorial system