SwissCovid App: Data Protection Statement & Conditions of Use

In this Data Protection Statement, the Federal Office of Public Health (FOPH) explains to what extent it will process personal data in connection with the use of the application “SwissCovid app” (hereafter app) in Switzerland. This account is not exhaustive; specific matters may be governed by other data protection statements, similar documents, terms and conditions of use, or applications.

The processing of personal data is governed by data protection legislation. The federal legislation on data protection is applicable to the data processing. In addition, the Data Protection Statement is in line with the Epidemics Act of 28 September 2012 (EpG; SR 818.101) and the Ordinance of 24 June 2020 on the Proximity Tracing System for the Coronavirus SARS-CoV-2 (VPTS; SR 818.101.25).

“Personal data” means all information relating to an identified or identifiable person. “Processing” means any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data.

The controller responsible for the data processing described herein is the

Federal Office of Public Health FOPH
3003 Bern
Switzerland
Tel. +41 58 462 69 98
recht(at)bag.admin.ch

The entire app system is designed to ensure that the app user is not identifiable. The processing of personal data is kept to a minimum. Data cannot be traced back by technical means to persons, locations or devices. What is collected is not location data, but merely encrypted data concerning proximity (contact) events. This is protected by technical means against misuse. The FOPH cannot draw any conclusions concerning app users. The app protects users’ data in such a way that it cannot, at a distance, be connected to specific persons. Connection to a specific person cannot, however, be ruled out altogether. There is a certain likelihood that, when someone is notified of a possible exposure, their recollection of social contacts over recent days may allow them to deduce the identity of the infected individual. The notification contains the information that the user may potentially have been exposed to the coronavirus and the date on which this was last the case; it also draws attention to the Infoline offering free advice operated by the FOPH and to the behavioural recommendations of the FOPH. As a result of using the app, persons may thus potentially be identified.

The app system has two components:

• a proximity data management system, comprising software installed by users on their mobile phones and a back end (PM back end);
• a system for the management of codes for the activation of notifications (code management system), comprising a web-based front end and a back end.

Both of the back ends, as central servers, are under the direct control of the FOPH and are operated technically by the Federal Office of Information Technology, Systems and Telecommunication (FOITT). The code management front ends run on the devices of the experts authorised to generate the activation code (Covid code).

The following data is stored on the mobile phone:

• the identification codes (random ID) received from other mobile phones on which the app is running
• the signal strength
• the date and the estimated duration of proximity.

In the event of an infection being confirmed in a user, the following data is recorded in the code management system:

• the activation code (Covid code)
• the date on which the first symptoms appeared, or – if the infected user is asymptomatic – the date of testing
• the time at which this data is to be destroyed.

The PM back end contains a list with the following data:

• the private keys of infected users which were current in the period during which other users were potentially exposed to the coronavirus
• the date of each key.
  

The app system operated by the FOPH is based on the EpG and the VPTS. The exclusive purposes of the app and the associated data processing are, in a privacy-preserving manner, to notify users potentially exposed to the coronavirus and to produce coronavirus-related statistics using data from the two back end systems.

The PM back end data list is made available to the app (or front end) in the retrieval process. Insofar as the FOPH engages third parties in Switzerland or abroad to provide this service, they undertake contractually to comply with the requirements of Article 60a EpG and the VPTS, with the exception of the provisions concerning the source code specified in Article 60a paragraph 5 letter e EpG. The FOPH monitors compliance with the legal requirements. The third parties engaged are not permitted to use non-core data arising in the execution of this task for their own purposes. This data will only be analysed by the FOPH or the FOITT (cf. Section 8).

The FOPH will periodically make available to the Federal Statistical Office (FSO), in an anonymised form, the data currently held in the two back end systems, for purposes of statistical analysis. The FOITT operates the entire software on behalf of the FOPH and provides the necessary technical support service. The FOITT has access to data only insofar as this is necessary for the purposes described and the activities of the employees concerned. They are bound by confidentiality in the management of the data.

The app uses an interface to the operating system of the user’s mobile phone, which entails the processing of data by Apple or Google. The operating system functions used via the interface must comply with the requirements of Article 60a EpG and the VPTS, with the exception of the provisions concerning the source code specified in Article 60a paragraph 5 letter e EpG. The FOPH makes sure that these requirements are complied with, in particular by obtaining appropriate assurances.

The data will be destroyed as soon as it is no longer required for the notification of users. Specifically, it will be destroyed as follows:

• data in the proximity data management system (both on mobile phones and in the PM back end): 14 days after capture
• data in the code management system: 24 hours after capture
  

To protect data against unauthorised access, loss, or misuse, the FOPH, in close collaboration with its internal and external hosting providers and other IT service providers, takes appropriate security measures of a technical (e.g. encryption, pseudonymisation, logging, access controls and restrictions, data backup, IT and network security solutions, etc.) and organisational nature (e.g. staff directives, confidentiality agreements, inspections, etc.) in accordance with the requirements of the Federal Administration and Swiss data protection legislation.

With regard to your data, you have the right to information, rectification, erasure or disclosure. You also have the right to restrict or object to data processing. In addition, you have the right to withdraw your consent, without this affecting the lawfulness of processing based on consent before its withdrawal. These rights are applicable insofar as personal data is present. This is, however, prevented to the greatest possible extent by the “privacy by design” principle underlying the app system, which – through innovative cryptographic methods and decentralised data processing – is designed to ensure that, as far as possible, no information relating to identified or identifiable persons (personal data) is present. For this reason, it is not possible for the FOPH, for example, to provide information on the proximity events logged for a specific person or to correct this data. The FOPH cannot inspect this data, as it is stored only on the mobile phones.

The exercise of your rights requires that you provide clear evidence of your identity (e.g. a copy of identity documents). To assert your rights, you can contact the FOPH at the address given in Section 1.

In the event of infringements of data protection legislation, you can contact the competent data protection supervisory authority or take legal action in accordance with the data protection legislation.

PM back end and code management system access events are logged for the purposes specified in Articles 57l–57o of the Government and Administration Organisation Act of 21 March 1997 (RVOG; SR 172.010). The access events may be statistically analysed. The provisions applicable are Articles 57i–57q RVOG and the Ordinance of 22 February 2012 on the Processing of Personal Data Linked to the Use of the Electronic Infrastructure of Federal Bodies (SR 172.010.442).

Log data will be destroyed as follows:

• Log data from the third parties engaged by the FOPH: 7 days after capture.
• Otherwise, the destruction of log data is governed by Article 4 paragraph 1 letter b of the Ordinance of 22 February 2012 on the Processing of Personal Data Linked to the Use of the Electronic Infrastructure of Federal Bodies (SR 172.010.442).
  

The FOPH may amend this Data Protection Statement at any time without prior notice. The current published version, or the version valid for the period in question, is applicable. This Data Protection Statement has been issued in several languages. In the event of discrepancies, the German version shall prevail. In the event of an update, the app user will be informed of the amendment in an appropriate manner.

1.1      These Terms and Conditions of Use govern the acquisition and use of the application “SwissCovid app” (hereafter app) by users and form an integral part thereof.

1.2      The Federal Office of Public Health (FOPH) app is based on the Epidemics Act of 28 September 2012 (EpG; SR 818.101) and the Ordinance of 24 June 2020 on the Proximity Tracing System for the Coronavirus SARS-CoV-2 (VPTS; SR 818.101.25).

1.3      The purpose of the app is to notify users who have potentially been exposed to the coronavirus and to produce coronavirus-related statistics.

2.1      The installation of the app on a mobile phone and the employment thereof is voluntary for users.

2.2      The use of the app and its functions described in Section 3 is restricted to the territory of Switzerland.

2.3      By accessing the app, the user declares that he or she has understood and accepted the following conditions and legal information relating to the app (and the elements contained therein). If the user does not agree to these conditions, then the app is not to be used.

3.1      Via the app, users are informed if they have been in relevant contact with at least one user confirmed to have been infected.

3.2      The activation of Bluetooth is required for the operation of the app.

3.3      Using an interface to the operating system of the user’s mobile phone, the app fulfils the following functions:

Each day, the operating system generates a new private key, which cannot be connected to the app, the mobile phone or users. Within the range of Bluetooth, the operating system exchanges with all compatible, running apps an identification code (random ID), changing at least every 30 minutes, which is derived from a current private key but cannot be traced back to this key and likewise cannot be connected to the app, the mobile phone or users.

On the mobile phone, the operating system stores the identification codes (random ID) received, the signal strength, the date and the estimated duration of proximity.

The app periodically retrieves a list of the private keys of users known to be infected and allows the operating system to check whether at least one locally stored identification code (random ID) was generated by a private key included in the list. If this is the case, and if proximity of 1.5 metres or less to at least one infected user’s mobile phone was registered, and if the duration of all such proximity events within one day amounts to at least 15 minutes, then the app issues a notification. Proximity is estimated on the basis of the strength of the signals received.

3.4      If an infection is confirmed in a user, experts with access rights (e.g. attending physicians) generate a unique activation code (Covid code), valid for a limited period, which they disclose to the infected user. This user can voluntarily enter the activation code in the app. Notification, or entry of the activation code, occurs only with the explicit consent of the infected user.

Other app users who came into proximity, as defined in Section 3.3, with the infected user during the infectious period are notified by their own apps.

The users thus notified learn that a proximity event has occurred, i.e. that they have potentially been exposed to the coronavirus, and on what date this was last the case. They are not told which user has been infected and has triggered the notification. The notification also informs the user about the Infoline offering free advice operated by the FOPH and the behavioural recommendations of the FOPH.

3.5      Users who are notified by their app that they have potentially been exposed to the coronavirus may, if they provide evidence of the notification, undergo, free of charge, a test for infection with, or for antibodies to, the coronavirus SARS-CoV-2.

3.6      The app also communicates the behavioural recommendations of the FOPH.

3.7      The app does not track the user’s location or use geolocation services.

3.8      The app cannot perform a medical assessment, order any measures (e.g. quarantine), or issue any instructions.

4.1      Users are responsible for technical access to the app.

4.2      Users are required to take the necessary security measures to protect their own devices against unauthorised access by third parties and against malware.

Users’ attention is hereby drawn to the security risks associated with use of the internet and of internet technologies.

4.3      Users are required to keep the app updated. There is no entitlement to use a specific version of the software.

4.4      Users are required to check any data they enter for completeness and correctness.

4.5      When using the app, users are responsible for complying with applicable legal provisions and the Terms and Conditions of Use.

5.1      While the FOPH takes every care to ensure the correctness of the information, content and communications published in the app, it makes no warranty as to the correctness, accuracy, currency, reliability or completeness thereof.

The FOPH expressly reserves the right, at any time, without prior notice, to partly or completely alter, delete or temporarily not publish information and content.

5.2      To the extent permitted by law, any claims for liability against the FOPH due to material or immaterial damage, including consequential damage, arising for example from access to, use or non-use of the app and the associated information, content and communications, from misuse of the connection, from technical faults, or from infringement of the users’ duties of care, are hereby excluded.

The user is responsible for and assumes the risks of any action or behaviour undertaken on account of information, content or communications in the app, e.g. self isolation/quarantine. The FOPH will not be liable under any circumstances for any resultant damage.

5.3      To the extent permitted by law, liability for associates and third parties is excluded.

5.4      The FOPH assumes no responsibility and makes no warranty that the functions and use of the app will be permanently and continuously available and free of errors or faults, that errors will be rectified, or that the servers will be free of viruses or other harmful elements.

The FOPH is entitled to interrupt or discontinue use of the app at any time.

5.5      The FOPH is not responsible for references and links to third party websites. The FOPH assumes no liability for the continued existence, content or correctness of such information. Access to and use of such websites is at the user’s own risk. The FOPH explicitly states that it has no influence on the design, content or offerings of linked-to pages. Responsibility for information and services provided by linked-to websites lies entirely with the third party in question.

No responsibility whatsoever is accepted for such websites.

6.1      On the basis of Article 13 of the Federal Constitution of the Swiss Confederation and the provisions of federal data protection legislation, every person has the right to privacy and to be protected against misuse of their personal data. The FOPH complies with these provisions. Personal data is treated in strict confidence.

6.2      In close collaboration with its service providers, the FOPH makes every effort to protect data against unauthorised access, loss, misuse or falsification.

6.3      The processing of personal data by the FOPH is governed by the Data Protection Statement of the app.

7.1      Use of the app can be terminated by the user at any time by deleting/uninstalling it from the mobile phone.

7.2      If the app is no longer required, or proves inadequate, to manage the epidemic caused by the coronavirus, the Federal Council may terminate or deactivate the app.

7.3      At the latest when the Ordinance mentioned in Section 1.2 is no longer in force, the FOPH will deactivate the app and request users to uninstall it from their mobile phone.

8.1      Copyright: Federal Office of Public Health FOPH.

8.2      The information and content is made accessible to the public. The content published in the app by the FOPH is for personal use only. Any further reproduction or passing-on of content to third parties is not permissible. The downloading or copying of content, images, photos or other files does not result in any transfer of rights as regards the content.

Copyright and any other rights relating to content, images, photos or other files in this app are held exclusively by the FOPH or the specially designated rights holders. For the reproduction of any elements whatsoever, written consent is to be obtained in advance from the copyright holders.

9.1      These provisions have been issued in several languages. In the event of discrepancies, the German version shall prevail.

9.2      Use of the app is free of charge for users. Any costs arising for network access to enable use of the app are borne by the user.

9.3      The FOPH reserves the right to amend or add to the Terms and Conditions of Use at any time. The new conditions will be communicated to users in advance in an appropriate manner and will be deemed to have been accepted if no objection is received within one month.

9.4      Should one provision of the Terms and Conditions of Use be invalid or inoperative, the other provisions thereof shall not be affected.

9.5      Swiss law shall apply, subject to any divergent mandatory provisions. The exclusive venue for all disputes shall be the competent Swiss court.