Last Updated: November 30, 2020
Personal Data Privacy Statement Scansmart – VaxCheck
Eason Electronic International is a registered Irish company and is the data controller of your personal data that you submit, or medical staff submit under your instruction, via the ScanSmart app/website. You can contact David Cooke on email@example.com
Our outsourced Data Protection Officer is The Data Protectors They can be reached at firstname.lastname@example.org to answer any queries you have about how we process your personal data or to exercise your legal rights.
How does VaxCheck work?
Prior to visiting your vaccination location (GP, pharmacy, other) you can pre-register your personal data, including optionally a photo of yourself via the ScanSmart website and app.
This pre-register of your personal data will help the vaccination location positively identify you and assist with the administration time associated with personal data input.
When you then visit the vaccination location you will present the alphanumeric token we have texted/emailed to you to the medical staff. The medical staff will input this token value into our website via a secure login portal. The medical staff will have a unique username and password assigned to them to access our databases.
Upon submission of an accurate token value, that we had texted/emailed to you, the medical staff will be presented with your personal details that you have previously inputted. They will confirm your identity with you.
If you are unwilling or unable to pre register with us, the medical staff can enter all your personal data with you and on behalf of you while you are in the vaccination location.
The medical staff in the vaccination location will then enter the details of the vaccine they have just administered to you, vaccine type, pharmaceutical company, expiry date, dosage, and other information related to the vaccine itself.
The medical staff then submit both your personal data and the vaccine data for upload to the ScanSmart servers.
You will then receive a text asking you to confirm that you have requested a vaccination certificate.
Upon receipt of this confirmation we will acknowledge that request and inform you that your vaccination certificate will become available to you electronically, and by request post, two weeks after the date of the last vaccine dose administered. This delay, between the last dose being administered and the vaccination certificate becoming available to you is to allow immunity to take hold in your body. (This default two weeks period may be altered according to developments in vaccines or credible new and unanimously agreed medical research.)
Upon receiving your vaccination certificate you will be able to present it to premises/venues/facilities who have systems in place to accommodate those who have been vaccinated.
If you use VaxCheck in conjunction with our Check-In functionality the premises/venues/facilities will have a record of your attendance and a confirmation of your vaccination.
What data do we collect to use VaxCheck
To create an accurate authenticable vaccination certificate for you we will need to receive from you the following personal data;
Your full name.
Your date of birth.
Your phone number.
Your email address
An identifiable photo of your face.
Upon creation of your vaccination certificate we will date stamp the certificate which will indicate on what date you received your final dose.
The location of the place you received your vaccination will most likely be identifiable when combined with the information on the vaccination certificate and other publicly available information.
We have no access to your texts, emails, photos, videos or GPS data on your phone.
We have no access or control over your phone’s camera or microphone.
We have no access or control over any of your phone’s apps.
Who has access to your personal data?
ScanSmart has access to your personal data you supplied, and has the ability to amend or delete your personal data. Access to your personal data is monitored and is limited to relevant and appropriate personnel whose role is necessary to access the personal data. Access to the database storing your personal data is managed using unique usernames and passwords.
Medical staff who are authorised by legislation to administer vaccines as part of the COVID 19 response and who register with us and who you have chosen to provide your alphanumeric token with will have access to your personal data described above.. We will authenticate that the persons registering with us are appropriate medical staff.
If you have not pre registered with ScanSmart then medical staff will input your personal data as you provide it to them at the time you are being vaccinated. They then will populate the vaccine details in the form so as to create the vaccination certificate.
No third parties have access to your personal data, although we may provide personal data, limited to useful and necessary personal data that would assist statutory health services to track or audit the progression of the vaccine roll out in the wider population.
ScanSmart will not provide personal data to any third parties regarding people who have not been vaccinated including those who may have not taken the full dose or those who pre registered but then exercised their right not to be vaccinated.
If you feel your personal data has been misused by us or any third party we lawfully shared it with you can notify your concerns to our Data Protection Officer at email@example.com
The purpose of us processing your personal data?
To ensure that you have the option to access services and locations to demonstrate you have been fully vaccinated against COVID 19 as may be necessary, and/or beneficial to premises/venues/facilities and the wider public to ensure safety of staff/volunteers and other clients/users of the services and locations as the roll out of COVID 19 vaccination program occurs. You may decide to use ScanSmart VaxCheck functionality in conjunction with its Check In functionality, the full privacy statement for that product can be found here.
How long do we retain your personal data?
We will not delete your personal data until such a time that the COVID 19 emergency phase is discontinued. We estimate this is to be when the legislation introduced by the Irish government on 20th March 2020 is repealed or revoked.
Ten days following that repeal/revocation date we may delete all data collected for the purpose of the processing outlined in this notice.
However there may be an ongoing need, after this repeal/revocation, to retain evidence of your vaccination so as to access some service and locations. If such a need emerges we will retain your data until such a time that the need has ended. If this need does emerge we will contact you to inform you of our decision and your options available in relation to your personal data.
We may retain anonymised metadata for a period of five years following the completion of the vaccination program for the purpose of studies approved or endorsed by the Health Research Board and/or any registered third level education establishment in the EU.
We will however immediately delete any valid requests for deletion made via email to our Data Protection Officer at firstname.lastname@example.org
Legal basis for processing your personal data.
When you provide us the personal data
The processing of personal data is governed primarily by the GDPR and the Irish Data Protection Acts 1988 to 2018.
The legal basis for us processing your data is GDPR Article 6.1 (a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” As the personal data processed, in combination with the vaccine data, will lead to the creation of “data concerning health” our legal basis for the processing of this special category data is GDPR Article 9.2 (a) “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes”.
This consent is captured by the voluntary acts you take when you pre register with us or tell medical staff your personal details and when you click the ‘pop up’ stating that you consent to your data being processed by us.
When we share your personal data with any third parties.
Personal data will only be provided to An Garda Siochana or other statutory authorities under a valid court order.
International transfers of your personal data.
We do not transfer, or store, your data outside of the EU.
How do we safeguard your personal data?
We have put in place appropriate security measures that are designed to prevent unauthorised access to, and misuse of, your personal data. All our staff have been trained in data protection awareness and GDPR compliance practice.
We have instructed and have agreements with the premises/venues/facilities that your data will not be used for any other reason other than that to validate that you have been fully vaccinated against COVID 19.
How can you access, amend or delete the personal data that you have given to us?
When we hold your personal data, you have various rights in relation to it. When you make a request under the following rights we will respond to your request within one month (although we may be allowed to extend this period in certain cases). Please contact our Data Protection Officer email@example.com
Right to rectification: If we have any of your personal data captured incorrectly you have the right to have it rectified.
Right to withdraw consent: Where we have obtained your consent to process your personal data for stated reasons you may withdraw your consent at any time.
Right for a copy of your data: you have the right to ask us to confirm what information we hold about you at any time and request a copy of it.
Right to erasure (delete): In certain situations (for example, where we have processed your data unlawfully or where the lawful basis is on Consent), you have the right to direct us to erase your personal data.
Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object.
Right to lodge a complaint with the Data Protection Commission: You have the right to lodge a complaint with the Data Protection Commission they can be contacted at LoCall 1890 25 22 31 or through their online form here.
What are cookies and how do we use them?
A “cookie” is a bite-sized piece of data that is stored on your computer’s hard drive. They are used by nearly all websites and do not harm your system. We use them to track your activity to help ensure you get the smoothest possible experience when visiting our solutions. We can use the information from cookies to ensure we recognise you on any repeat visit to a premises. We do not use any advertising cookies.
If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings.