application privacy policy

By downloading and using the COVID Pass mobile application you state that you have read and agree to the Privacy Policy.

Carefully read this privacy policy for users of the mobile application (hereinafter the "Application") as a tool to support the management of the health crisis caused by COVID-19. This privacy policy, as well as the conditions of use of the App may be supplemented with information on the operation of the application published on and general information on the processing of personal data in the Xunta de Galicia at

Compártalo :


IMPORTANT NOTICE: The user agrees that the use of the Application DOES NOT IN ANY CASE CONSTITUTE A SERVICE OF MEDICAL DIAGNOSIS, HEALTHCARE OR PRESCRIPTION OF PHARMACOLOGICAL TREATMENTS. It warns and informs the user that the use of the Application may not in any case replace personal consultation with a duly qualified medical professional or as determined by the health authority.

1.Responsible for the processing of data of people using PassCOVID. gal and in charge of treatment.

The person in charge of the treatment:

Ministry of Health / Galician Health Service (Sergas). San Lázaro administrative complex, s/n.15781 Santiago de Compostela. CIF: Q6550006 H.

In charge of the treatment: Agency for the technological modernization of Galicia (Amtega) for the development, maintenance, accommodation and management of the system and of the application through which will give access to the people users.

Contact Delegate for Data Protection:

2.Categories of data subject to processing

To facilitate the different functionalities of the Application, identifying data provided by the user will be processed, or extracted from the Chave365 identification system in the event that the person identifies himself in the system with this mechanism.

Only in the case of persons identified with Chave365, health data of the requested users of the public health system relating to the situation of the user with respect to COVID-19 will be processed.

Data provided by the user will be treated in relation to personal preferences, place of residence, possible close contacts, or establishments in which he has been. The information of close contacts and stays in establishments will be stored locally on the user's device, unless the user voluntarily decides to transmit some of this information to the health authority.

The personal data that will be used in the event that the user decides to register in the application will be the following:

  • Name and surname, to confirm identity.
  • DNI / NIE, to identify yourself in PassCOVID and to be able to obtain personalized health information related to Covid-19.
  • Mobile phone number, for sending SMS notifications.
  • Personal health data related to the situation with respect to Covid-19, to enable the declaration and sending to the health authority of close contacts, access the COVID Radar code, access the vaccination certificates, be able to send to the health authority stays in establishments and receive personalized messages and recommendations.
  • Data of the people with whom it is declared in the application to maintain close contact (name and surname, contact telephone number and type of link).

In addition to registered users, in the case of anonymous users, the following data will also be used:

  • Place of residence, to obtain personalized information about that place.
  • Details of stays in the establishments declared in the application: name of the establishment, date and time.
  • Language preferences, so you can use the application in your preferred language.
  • Data of people who self-declared in the application who maintained close contact with a confirmed case of Covid-19 (name and surname, contact telephone number, date of birth and type and number of identity document).

PassCOVID may verify the existence of applications already installed on your device and / or access your information in the following cases:

  • Access to the device's camera application, in order to capture the QR codes of the establishments visited to the QR of the vaccination, test or recovery certificates, in order to have them within the PassCOVID App or to verify that the data of the certificates are correct.
  • Access to the contacts directory application, in case you want to use it to load the contact data in the application automatically.
  • Access to the phone application, to make calls to the contact phone numbers presented in the application
  • Access to links to third-party content and applications on the Internet to provide information and services related to COVID-19.
  • Read and write access to storage on the device to read and write files, photos, videos and audio. These permissions are necessary to be able to download, open and view the vaccination certificate.

More information at

3.Origin of the data

  • Data provided by the person using the Application.
  • Data requested from those that the Autonomous Administration already has, especially from the Galician public health system.
  • Data obtained from the mobile device.

4.Purposes of data processing and functionalities of the Application

The data will be used for purposes related to the monitoring and containment of Covid-19 disease especially to support the protocols of action against the crisis, in force at any given time.

a) Receipt of information or alerts relating to practical advice and general guidance relating to the health crisis caused by COVID-19, as well as recommendations for appropriate actions and measures to be followed.

b) Provide information on resources of interest for monitoring health, confinement or mobility guidelines.

c) Provide personalized information on the level of transmission risk that each user poses to others based on the information available to the Galician Public Health System. The determination, as a guide for the user, of the individual level of transmissible risk will be carried out on the basis of the information available to the data controller as a health authority and based on whether it is a confirmed COVID case with active infection, a close contact of a COVID case, Normal situation (including the confirmed COVID case with outdated infection)

This information will have a purely indicative purpose for users without legal consequences for them, as it must be checked with the health services for confirmation. In any case, the user may contact the data controller

d) Facilitate the identification of close and recent contacts of the user in the event that this has been declared as a confirmed or probable COVID-19 case that contributes to tracking the spread of the virus and the disruption of transmission chains.

e) Serve as a digital medium for the storage of individual documentation that may be useful to facilitate the application of the measures adopted by the competent authorities in crisis management.

f) Facilitate the automatic registration of accesses with date and time of users to leisure and event venues, so that, in the event that a COVID-19 case is detected in one of these spaces, it will serve as support for the manual tracking of people. who may have been in contact with the said positive.

g) Obtain information relevant to its scientific or epidemiological value with the appropriate guarantees of anonymisation.

5.Legitimation for the processing of personal data

The data necessary for the proper functioning of the application and the operation of its functionalities will be processed. The use of the application and the configuration of each of its different functionalities will be based on the voluntariness of the citizenry, so that the user can specifically activate and deactivate each of them independently at all times, as well as decide to uninstall the application. All this, without any negative consequences for those who can not or decide not to download or use the application. The processing of personal data, derived from the operation of the App in both general and special categories, will be carried out for reasons of general public interest. In particular, for reasons of essential public interest or the determination of risk level information as a possible transmitter, and for reasons of public interest in the field of public health with respect to the declaration by the user of close contacts following the declaration of the user as a COVID-19 case. More information at

6.Data retention period

The data will be kept for the time necessary for each of the functionalities of the App and will be deleted, anonymised and / or blocked in accordance with current regulations.

The Passcovid information system. gal will be linked to the provisions and protocols for the management of the health crisis arising from the coronavirus COVID-19, so its validity is restricted to the time period in which such provisions and protocols are applicable. The end of this validity will be at the time of the declaration by the state government, in application of the provisions of article 2.3 of Royal Decree-Law 21/2020, of 9 June, on urgent measures of prevention, containment and coordination to deal with the health crisis. by COVID-19, the end of the health crisis situation caused by COVID-19 or, if later, at the time of the declaration, by the Autonomous Government, of the end of the health emergency situation declared by Agreement of the @Consello de la Xunta de Galicia of 13 March 2020, declaring the health emergency situation in the territory of the Autonomous Community of Galicia and activating the Territorial Emergency Plan of Galicia (Platerga) at its IG level (emergency of Galician interest), as a result of the evolution of the COVID-19 coronavirus epidemic . By resolution of the person in charge of the Ministry responsible for health published in the Diario Oficial de Galicia, the time of the end of the system will be made public, which will mean the immediate deactivation of the application and the deletion of personal data processed for such purposes. as a result of the evolution of the COVID-19 coronavirus epidemic. By resolution of the person in charge of the Ministry responsible for health published in the Diario Oficial de Galicia, the time of the end of the system will be made public, which will mean the immediate deactivation of the application and the deletion of personal data processed for such purposes. as a result of the evolution of the COVID-19 coronavirus epidemic. By resolution of the person in charge of the Ministry responsible for health published in the Diario Oficial de Galicia, the time of the end of the system will be made public, which will mean the immediate deactivation of the application and the deletion of personal data processed for such purposes.

All this, without prejudice to the possible preservation of information that is relevant for its scientific or epidemiological value in the service of the public interest for longer periods, preserved in an anonymized format and with the necessary guarantees to prevent the re-identification of those affected.

7.Categories of recipients of personal data

The data controller, Consellería de Sanidade / Servicio Galego de Saúde (Sergas), for the purposes described in section 3, will allow access to personal data to the Galician Agency for Technological Modernization (Amtega) in its capacity as data controller. The relationship between the two entities is regulated in the ORDER of 18 August 2020 regulating the Passcovid information system. gal as a complementary measure in the management of the health crisis caused by COVID-19. Likewise, the data could be communicated. In any case, the necessary measures will be taken to guarantee the confidentiality and security of the data and the protection of the rights of the persons concerned, as well as the signing of the corresponding confidentiality commitments. A verification process has also been established,

8.Rights of interested parties regarding their personal data and how to request them

The controller will guarantee and facilitate at all times the exercise of their rights in the field of personal data protection. These rights are:

  • Right of access: the right to obtain confirmation as to whether the data and information, if any, on such processing are being processed.
  • Right of rectification: right to request the rectification of data when they are inaccurate.
  • Right of deletion or forgetfulness: right to obtain the deletion of data in the terms provided for in current regulations.
  • Right of opposition: right to object, at any time, to the processing of personal data.
  • Right to limit the processing: right for the controller to limit the processing of the data of the interested party in the cases included in the current regulations.
  • Right to data portability: the right to receive data provided in a structured, commonly used and machine-readable format, or to be transmitted directly to a third party in the cases established in current regulations.
  • Right not to be subject to automated individual decisions: Right not to be the subject of a decision based solely on automated processing, including profiling, which produces legal effects on the data subject or affects him or her in a similar way.
  • Right to withdraw consent: when the processing of data is based on the consent of the persons concerned, they may withdraw the consent granted at any time, without this affecting the lawfulness of the processing prior to its withdrawal.

Interested parties may request the right of access, rectification, deletion, limitation, opposition and portability of the personal data processed. In addition, they may withdraw each consent given at any time, although this will not affect the lawfulness of the treatment based on the consent prior to its withdrawal. All this through the electronic headquarters of the Xunta de Galicia through the procedure called PR004A or in the places and registers established in the regulations of the common administrative procedure, as stated in

Interested parties have the right to file a complaint with the Spanish Data Protection Agency - AEPD at all times.

9. Other guarantees in the processing of data

Other guarantees in the processing of data are included in the order regulating the Application: ORDER of 18 August 2020 regulating the Passcovid information system. gal as a complementary measure in the management of the health crisis caused by COVID-19.

Both in the development and in the implementation and operation of the system and the application that gives access to it, and subsequently in its deactivation, the necessary guarantees will be established for users and other affected people regarding the processing of their personal data, according to the provisions in the current legislation on data protection and confidentiality of communications, in particular Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the sector of electronic communications (Directive on privacy and electronic communications), as well as its transposition rules, the General Data Protection Regulation and Organic Law 3/2018, of 5 December,of Personal Data Protection and guarantee of digital rights.

These guarantees will respect the principles set out in @ said regulations. In particular, the collection of personal data will be governed by the general principles of effectiveness, necessity and proportionality, respecting in any case the principle of data minimization.

Steps shall be taken to ensure that any person acting under the authority of the controller or controller and having access to personal data may only process such data in accordance with the instructions of the controller, unless required to do so by Union or Member State law. Among other measures, the necessary personal confidentiality commitments will be requested, in which express mention will be made of the duty of professional secrecy in accordance with the requirements of the General Data Protection Regulations.

In compliance with the purpose limitation principle, personal data will be processed only for the purposes indicated and for no other purpose, and will not be used subsequently in a manner incompatible with the said #fin. Possible treatments that may be necessary for archival purposes in the public interest, scientific or historical research or statistics shall be subject to the guarantees provided for in Article 89 of the RGPD and shall be governed by the legislation applicable to each case. Likewise, in accordance with the principle of data minimization, only data that are adequate, relevant and strictly necessary for the different functionalities of the system will be processed, after assessing the need for their processing and their relevance,

Compliance with the principle of proactive responsibility and the obligation to implement privacy from design and by default has been documented in an impact assessment on data protection.

This impact assessment will be subject to the necessary updates as the system and the application that gives access to it can evolve, progressively incorporating new services for users to those initially available, always within the purposes and functions provided in Application regulation order.

Appropriate technical and organizational measures shall be applied to ensure a level of security appropriate to the risk, including: pseudonymisation and encryption of personal data; the ability to ensure the confidentiality, integrity, availability, and permanent resilience of treatment systems and services; the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident and a permanent procedure for verifying, evaluating and assessing the effectiveness of technical and organizational measures to ensure the security of processing. In particular, the corresponding measures will be applied to the processing of personal data derived from the different functionalities of the system as provided for in the National Security Scheme, thus protecting data security. Such measures shall be properly documented. The necessary measures will also be implemented to ensure the accuracy and updating of the personal data processed.

10.Cookie policy

‍We only use technical cookies that allow the user to browse and use the different options or services offered in the Application, such as identifying the session and identifying you as a registered user each time you access the Application, access restricted access parts or use security features while browsing.

11.Applicable basic regulations

  • ORDER of 18 August 2020 regulating the Passcovid information system. gal as a complementary measure in the management of the health crisis caused by COVID-19.
  • Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation Data Protection).
  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights.
  • Law 14/1986, of April 25, General of Health.
  • Organic Law 3/1986, of 14 April, on Special Measures in Public Health.
  • Law 33/2011, of 4 October, General of Public Health.
  • Law 8/2008, of 10 July, on health in Galicia.
  • Law 41/2002, of 14 November, regulating basic patient autonomy and rights and obligations in matters of information and clinical documentation.
  • Law 3/2001, of 28 May, regulating informed consent and the clinical history of patients.
  • Decree 29/2009, of 5 February, which regulates the use and access to electronic medical records.
  • Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme in the field of electronic administration (ENS)