1. Why use tracing and warning apps?
Tracing and warning apps can help break the chain of coronavirus infections, nationally and across borders, and save lives by complementing manual tracing. In the fight against the coronavirus, most Member States have launched a national contact tracing and warning app.
In addition to the above it is noted that this application has not been created to replace the active tracing process carried out by the Ministry of Health with the conventional method.
2. Who has provided you with this app and who is involved in Data Management?
This app has been developed by CYENS CoE and KIOS CoE under the coordination of the National Electronic Health Authority, and the Advisory Role of the Ministry of Research, Innovation and Digital Policy (DMRID) and the Ministry of Health(MoH). The roles of each organization on Data and Privacy Management in detail are as follows:
· The MoH has the role of the national data controller (i.e., is responsible for the processing of personal data collected by the CovTracer-EN mobile app), as well as the role of the EU-level joint data controller, together with the data controllers in other EU member states with regards to the cross-border interoperability with other national contact tracing mobile applications.
3. Is using the App voluntary?
Using the App is entirely voluntary. It is your decision alone whether and how you use the App. Although installing and using the App is voluntary, if you wish to use the exposure logging feature you still have to grant the MoH as Data Controller your consent to let the App process your personal data. You do this by tapping on the “Activate Proximity Tracking” button, the first time you open the App. Your consent is necessary because otherwise the App will not be able to access your smartphone’s exposure logging feature. You can, however, use the toggle switch in the App to disable the exposure logging feature at any time. Doing this will mean that you are unable to use the full functionality of the App. Transmitting your random IDs and any information about the COVID-19 test date and the date of the onset of your symptoms for transnational alerts (see question 10) is voluntary. You will not be penalised if you do not share this information. Since it is not possible to trace or check whether and how you use the app, nobody but you will know whether you provide your random IDs.
· The MoH engaged the CYENS CoE and the KIOS CoE as data processors to perform the processing of personal data both for the operation of the CovTracer-EN application at a national level, as well as the cross-border interoperability of CovTracer-EN with other national contact tracing mobile applications according to Article 28(3) EU GDPR.
4. On what legal basis is your data processed?
In principle, the MoH will process your personal data only on the basis of your consent granted pursuant to Article 6(1) Sentence 1(a) and Article 9(2)(a) of the General Data Protection Regulation (GDPR). If you have granted your consent, you can withdraw it at any time. Further information on your right of withdrawal and instructions on how to exercise this right can be found under Paragraph 11 of this notice.
5. Who is the App aimed at?
The App is aimed at people who are resident in Cyprus and are at least 18 years old.
6. What personal data is processed?
The App is designed to process as little personal data as possible (see Sections 5a, 5b and 5c below for details). This means, for example, that the App does not collect any data that would allow the MoH or other users to infer your identity or location. In addition, the App deliberately refrains from using tracking tools to record or analyse how you use the App. Data collected from users positive to COVID-19 are stored to the national backend, maintained by KIOS CoE and managed/owned by MoH. The data processed by the App can be grouped into the following categories:
a. Access data
Access data is generated when you use the “Report positive test result” feature. Each time data is retrieved from the App’s server system, your IP address (on the upstream load balancer) is masked and no longer used within the App’s server system. The following data is also processed:
● Date and time of retrieval (time stamp)
This access data is only processed to secure and maintain the technical infrastructure. You are not identified personally as a user of the App and it is not possible to create a user profile. The IP address will not be saved beyond the end of the period of use.
b. Contact data
If you enable Proximity Tracing in your smartphone’s operating system, which serves to record encounters (contacts) with other users, then your smartphone will continuously send out randomly generated identification numbers (“random IDs”) via Bluetooth Low Energy, which other smartphones in your vicinity can receive if exposure logging is also enabled on them. Your smartphone, in turn, also receives the random IDs of the other smartphones. In addition to the random IDs received from other smartphones, your smartphone’s exposure logging functionality records and stores the following contact data:
● Transmitted data volume (or packet length)
● Notification of successful retrieval.
● Date and time of the contact
Your own random IDs and those received from other smartphones as well as the other contact data (date and time of the contact, duration of the contact, signal strength of the contact and encrypted metadata) are recorded by your smartphone in an exposure log and currently stored there for 14 days. The functionality used to record encounters with other users is called “COVID-19 Exposure Notifications” on Android smartphones and “COVID-19 Exposure Logging” on iPhones. Please note that this exposure logging functionality is not part of the App, but an integral part of your smartphone's operating system. This means that the exposure logging functionality is provided to you by Apple (iPhones) or Google (Android smartphones) and is subject to these companies’ respective privacy policies. The MoH has no influence on data processing performed by the operating system in connection with exposure logging. More information about the exposure logging functionality on Android smartphones is available at: https://support.google.com/android/answer/9888358?hl=en.
More information about Apple’s exposure logging functionality can be found in your iPhone’s settings under “Privacy” > “Health” > "COVID-19 Exposure Logging”. Please note that the exposure logging functionality is only available if iOS version 13.5 or higher is installed on your iPhone. The App will only process the contact data generated and stored by your smartphone if the App’s Proximity Tracing feature is enabled.
c. Health data
Health data is any data containing information about the health of a particular individual. This includes not only information about past and current illnesses, but also about a person’s risk of illness (such as the risk that the person has been infected with the coronavirus). For users infected to COVID-19, health data involves the pseudonymised infected/diagnosis keys, user’s COVID-19 test date and the symptoms’ starting date
● Duration of the contact
● Bluetooth signal strength of the contact
● Encrypted metadata (protocol version and transmission strength).
7. App features
a. Proximity Tracing
The App’s core functionality is exposure logging. This serves to track possible contacts with other users of the App who are infected with the coronavirus, to evaluate the risk that you yourself have been infected, and – based on the risk identified – to provide you with health advice and recommendations for what to do next. If you enable the exposure logging feature, then several times a day while the App runs in the background, the App will retrieve a list from the App’s server system of random IDs from users who have tested positive and shared their own random IDs. The App shares these random IDs with your smartphone’s exposure logging functionality, which then compares them with the random IDs stored in your smartphone’s exposure log. If your smartphone’s exposure logging functionality detects a match, it transfers the contact data (date, duration, signal strength) to the App, but not the random ID of the contact in question.
In the event of a contact, the App analyses the contact data provided by the exposure logging functionality in order to determine your individual risk of infection. The evaluation algorithm which determines how the contact data is interpreted (for example, how the duration of a contact influences the risk of infection) is based on current scientific findings and the guidelines provided by the Department of Epidemiology, MoH, Government of Cyprus. To account for new findings as and when they arise, we may update the evaluation algorithm by adjusting its settings. The settings for the evaluation algorithm are sent to the App together with the list of random IDs of infected users. The identification of your risk of infection is only carried out locally on your smartphone, meaning that the data is processed offline. Once identified, the risk of infection is also only stored in the App and is not passed on to any other recipients (MoH). The legal basis for the processing of your access data, contact data and, if applicable, health data (if the App determines that you may have been infected) described above is your consent which you gave when enabling the exposure logging feature. We note that health data involves the user’s pseudonymised infected/diagnosis keys, user’s COVID-19 test date and the symptoms’ starting date.
b. Using the App for information purposes only
As long as you use the App for information purposes only, i.e. do not use any of the App features mentioned above and do not enter any data, then processing only takes place locally on your smartphone and no personal data is generated.
8. What permissions and functionality does the App require?
The App requires access to a number of your smartphone’s features and interfaces. For this purpose, you need to grant the App certain permissions. Permissions are programmed differently by different manufacturers. For example, individual permissions may be combined into permission categories, where you can only agree to the permission category as a whole. Please note that if the App is denied access, you will not be able to use any or all of the App’s features.
a. Technical requirements (all smart phones)
b. Android smart phones
If you are using an Android device, the following additional system features must be enabled:
The App requires an internet connection for the Proximity Tracing feature, and so that it can receive and transmit test results, so that it can communicate with the App’s server system.
Your smartphone’s Bluetooth interface must be enabled for your smartphone to record random IDs from other smartphones and store them in the device’s exposure log.
● Background operation
The App runs in the background (i.e. when you are not actively using the App) in order to be able to automatically identify your risk and query the status of a registered test. If you deny the App permission to run in the background in your smartphone’s operating system, then you must start all actions in the App itself.
● COVID-19 Exposure Notifications
c. iPhones (Apple iOS)
If you are using an iPhone, the following additional system features must be enabled:
The App’s exposure logging feature requires this functionality. Otherwise, no exposure log with the random IDs of your contacts will be available. The functionality must be enabled within the App to allow the App to access the exposure log.
Your smartphone’s location service must be enabled for your device to search for Bluetooth signals from other smartphones. Please note that no location data is collected in this process.
The user is notified locally of the identified risk and available test results. The necessary notification function is already enabled in the operating system.
● COVID-19 Exposure Logging
9. When will data be deleted?
All data stored in the App is deleted as soon as it is no longer needed for the App features: The list of random IDs of users who have shared a positive test result will be deleted from the App immediately, and also automatically deleted from your smartphone’s exposure log after 14 days. The MoH have no way of influencing the deletion of contact data in your smartphone’s exposure log (including your own random IDs) and contact data on other smartphones, as this functionality is provided by Apple or Google. In this case, the deletion depends on what Apple or Google has determined. Currently, the data is automatically deleted after 14 days. It may also be possible, using the functionality provided by Apple and Google, to manually delete data in your device’s system settings.
The risk status displayed in the App will be deleted as soon as a new risk status has been determined. A new risk status is usually determined after the App has received a new list of random IDs.
The App’s exposure logging feature requires this functionality, otherwise no exposure log with the random IDs of your contacts will be available. The functionality must be enabled within the App to allow the App to access the exposure log.
The user is notified locally of the identified risk and available test results. Notifications must be enabled for this.
10. Who will receive your data?
If you are tested positive for SARS-CoV-2 and aim to warn other users voluntarily, your random IDs from the last 14 days will be passed on to the App on other users’ smartphones, via the national backend. The national backend will also store information about your COVID-19 test date and the symptoms’ starting date.
The MoH has commissioned KIOS CoE to operate and maintain part of the technical infrastructure of the App (e.g. server system), meaning that this centre is processor under data protection law and acting on the MoH’s behalf (Article 28 GDPR).
Otherwise, the MoH will only pass on personal data collected in connection with your use of the App to third parties if the MoH is legally obliged to do so or if this is necessary for legal action or criminal prosecution in the case of attacks on the App’s technical infrastructure. In other cases, personal data will not generally be passed on. We also note that data (i.e., pseudonymised infected/diagnosis keys, user’s COVID-19 test date and the symptoms’ starting date) may be transferred with a user’s consent to the joint controllers of other EU member countries through the EFGS which is describe below.
11. What are EFGS and are data shared with another EU member state?
The EFGS (European Federation Gateway Service) is a service operated by the EU member states, so that every European citizen may receive exposure notifications if he/she came in touch with any other European citizen. It is responsible for the management of users’ data (i.e., pseudonymised infected/diagnosis keys, user’s COVID-19 test date and the symptoms’ starting date) from each EU member state that participates and for the sharing of this data between countries. The implementing decision about the EFGS is available here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32020D1023&from=EN
The data generated when the App is used is processed on servers in Cyprus. As mentioned, since Cyprus participates in the EU coalition of many member states effort of coordinated cross boarder contact tracing apps within the EU, the user’s data (i.e., pseudonymised infected/diagnosis keys, user’s COVID-19 test date and the symptoms’ starting date) may be shared with the user’s consent to the joint controllers of other EU member states that participate through the EFGS.
You can find more information on this here https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/travel-during-coronavirus-pandemic/how-tracing-and-warning-apps-can-help-during-pandemic_en as well as a specific list of EU countries with interoperable apps here https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/travel-during-coronavirus-pandemic/mobile-contact-tracing-apps-eu-member-states_en
The list of Joint controllers can be found here in PDF format https://ec.europa.eu/health/sites/health/files/ehealth/docs/gateway_jointcontrollers_en.pdf or retrieved in an updated format form the eHealth network document site here https://ec.europa.eu/health/ehealth/key_documents_en#anchor0
This allows the official COVID-19 tracing apps of all participating EU member countries, which are connected to the EFGS shared exchange server, to retrieve the current lists of infected keys from all those EU Countries that participate or will participate in this, which means that users who are currently abroad on holiday or business trips for example, can also be warned. All data is subject to the strict requirements of the General Data Protection Regulation (GDPR) and the Commission Implementing Decision (EU) 2020/1023 of 15 July 2020 amending Implementing Decision (EU) 2019/1765 as regards the cross-border exchange of data between national contact tracing and warning mobile applications with regard to combatting the COVID-19 pandemic (available at:
12. Withdrawal of consent
You have the right to withdraw any consent you granted the MoH in the App at any time with effect for the future. Please note that:
1. This will not affect the lawfulness of any processing occurred before the withdrawal
To withdraw consent related to the Exposure Notification:
2. This will not affect any Data (i.e., diagnosis keys, test date, symptoms’ date,) and IDs already transmitted following your consent. This is because once you consent to the sharing of these they are transmitted to the Cyprus Server, EFGS and other Users and the MoH has no way of interfering. As such, the withdrawal of your consent will not apply to those Data and IDs already shared but only apply for those IDs not already shared
1. for Devices with iOS version 13.5 or 13.6, select the following: System Settings > Privacy > Health > COVID-19 Exposure Logging > Disable Exposure Logging;
To withdraw your consent with respect to the random IDs sharing:
2. for Devices with iOS version 14, select System Settings > Exposure Notifications > Disable Exposure Logging;
3. for Devices with Android system, select the following: Settings > Google > Notifications about the risk of exposure to COVID-19 -> Disable Notifications about the risk of exposure; after the User's confirmation, the Exposure Notification will cease to operate.
· You can go to “Settings” menu on the CovTracer App and then click on “Delete my data”, to have your data removed immediately from your phone. Note however that as mentioned above this will not and cannot affect any IDs already transmitted as we have no way of interfering with data already shared.
13. Can I see the app code?
The app code is available on the CYENS page on GitHub:
14. Your other rights under data protection law
If the MoH processes your personal data, you also have the following data protection rights:
● the rights under Articles 15, 16, 17, 18, 20 and 21 GDPR,
● the right to contact MoH and raise your concerns (Article 38(4) GDPR) at firstname.lastname@example.org
● the right to launch a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus or the European Data Protection Officer (DPO).
● The Right to contact the Data Protection Officer for the relevant department of the MoH at:
○ Email: MPHS_DPO@mphs.moh.gov.cy
○ Phone number: +357 22605603
○ Address: Department of Medical and Public Health Services, Ministry of Health, 1 Prodromou & Chilonos Street 17, 1448 Nicosia, Cyprus