Online payments, self-check-in and name badges that participants can print themselves on-site – these are just some of the things that add to a more convenient conference experience. They prove particularly useful during pandemic times because they’re mostly contactless and can help reduce the risk of infections at in-person conferences significantly.
Shouldn’t a similar approach also work in regards to collecting vaccination status data? And indeed, many organizers have been asking us about that.
Conference organizers would like to establish an easy way to record participants’ vaccination status and often think about adding an option to their registration form that allows them to ask registrants whether they are vaccinated or not. There could even be an extra field where they can select their vaccine from a list. As an alternative, maybe we could also add a feature for uploading vaccination certificates?
And that holds true – at least from a software-developer’s standpoint as it’s not so difficult to add these functions and make them part of the online registration process. Legally, however, the whole thing turns into a much more complex issue. It’s not just about collecting, storing and processing personal data because these are not just ordinary personal data.
Yes to Proof of Vaccination, No to Data Processing
According to article 9 EU GDPR, vaccination data fall into a special category of personal data as they are concerning the health of a person and therefore require special protection. Private companies and providers are never allowed to collect and process such data when there’s no legal basis. This even applies if the conference management software is otherwise completely compliant with data protection regulations like making sure all data is stored in accordance with the law and no unauthorized person is able to access it.
Presently, there is no such law that would allow for such an exception. In Germany, the Bremen data protection commissioner already clarified this in a press release at the beginning of the year in which she referred to the GDPR article (press release in German).
Even with detailed contracts between conference organizers and software providers, the current regulation can’t be circumvented, and participants giving their explicit consent doesn’t count either as this wouldn’t be something they could opt out of. However, if a person wants to participate in a conference, there is no way around proving their vaccination status. It’s just that the organizer isn’t allowed to store the data.
We Therefore Recommend the Following for Conferences:
Check the proof of vaccination during the on-site check-in and have participants show their certificates. You can add a simple mark for each person that they have provided a certificate. A “yes” or “no” entry is sufficient for this purpose. Keep in mind that you’re not allowed to record details about the proof or the vaccination whether it’s you or the participant that enters the information. Reduce the amount of data you’re collecting here to an absolute minimum.
To prevent participants from being denied access to the conference because they don’t have their certificate with them, your registration form should mention that it needs to be shown when checking in on-site. You can also remind them again via email before the start of the conference.
Have you figured out a good way to make this work at your conferences? Do you have any other tips that might help organizers? Please feel free to share them with us.