Last updated on 07.06.2021

Are my data secure?

Personal data and COVID certificates are not stored on any central federal government systems

The federal government is responsible for data security when generating COVID certificates within the federal system.

Personal data are not stored centrally within the Federal Administration. The personal data required for the signing of the certificate are deleted by the federal government’s system as soon as the certificate has been generated and issued.

When checking the COVID certificate using the verifier app provided by the federal government, only the information required to check and relate to a specific person is displayed.

Holders of a COVID certificate are responsible for keeping the certificate safe. They themselves decide who they present the COVID certificate to and what personal data they disclose.

If you use the dedicated “COVID Certificate” app, the COVID certificate is only stored locally on your mobile device.
Even when checking the COVID certificate, it is technically impossible for personal data to be stored – either on the Federal Administration’s servers or by third parties in the verifier app.

The COVID certificate contains a digital signature, which makes it forgery-proof. Access to the certificate on the mobile device can also be protected using Face ID, Touch ID or a PIN.

If you lose your COVID certificate, you can request another one from the issuer. You can read more on this here.

How the security of the certificate system is being tested

The “COVID Certificate system” – the system for generating and issuing COVID certificates – is open source and the software’s source code is publicly accessible.

Before the system is rolled out, a comprehensive public security test is being conducted under the supervision of the National Cybersecurity Centre NCSC. IT and security specialists outside of the project team and the Federal Administration will review the source code as part of the test and report their findings and observations to the NCSC. This way, any security vulnerabilities can be ironed out before the rollout of the certificate system.