Coronavirus and data protection: the CNPD’s position on using the CovidCheck scheme

05 Nov 2021


Dorothée David

On 29 October 2021, Luxembourg’s National Commission for Data Protection (CNPD) published an FAQ section on data protection and the CovidCheck scheme on its website.

The CNPD has provided some clarifications about the use of Luxembourg’s national app, as well as about implementing the CovidCheck scheme in the workplace (see our Newsflash of 21 October 2021).

It appears from this FAQ section that:

  • scanning a QR code via the app constitutes a processing of personal data (cf. article 4 paragraph 2 of the GDPR[1]), including health data, the processing of which is in principle prohibited by the GDPR (cf. article 9 paragraph 1 of the GDPR);
  • the collection of health data via the app is, however, lawful (cf. article 9 paragraph 2 letters (g) and (i) of the GDPR and article 3septies of the Law on measures to combat the Covid-19 pandemic[2]), as long as the company complies with the other principles and obligations of the GDPR;
  • the employer cannot collect data related to the vaccination status of employees (i.e. information as to whether or not the person is vaccinated), and that only the National Health Directorate (Direction de la santé) is currently authorised by law to process such data.

The position outlined by the CNPD implies many practical considerations for employers who, according to the principles and obligations arising from the GDPR, should therefore in theory do the following before implementing the CovidCheck scheme:

  • (if applicable, under the management of the DPO), carry out and document a data protection impact assessment (processing of sensitive data relating to vulnerable persons),
  • provide the employee with all the information required by articles 13 and 14 of the GDPR in writing,
  • if necessary, adapt their processing records etc.

CASTEGNARO’s lawyers are at your disposal if you have any questions arising from the CNPD’s position in relation to labour law.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing directive 95/46/EC (General Data Protection Regulation).

[2] The modified Law of 17 July 2020 introducing a series of measures to combat the Covid-19 pandemic and modifying: 1. the modified law of 25 November 1975 on issuing medication to members of the public; 2. the modified law of 11 April 1983 on the regulations regarding the release and advertising of drugs: consolidated version as of 1 November 2021.