1. This Policy explains how your personal data is processed when you register on the Coga.App website, create a CoGa QR (Quick Response) code and use it to check in and out of venues that have registered with CoGa ("Registered Venues").
2. The CoGa Platform ("CoGa App") has been designed to facilitate entry-exit recording by Registered Venues while protecting privacy and personal data, meaning that:
3. CoGa App is operated by 2GIK Sàrl (“2GIK”), a registered legal entity in Switzerland. 2GIK facilitates the registration of individuals and venues and the transfer of data to the SMC. 2GIK cannot access any personal data collected from the individual, processed by registered venues, or transferred to the SMC.
4. Registered Venues that use the CoGa App to record the entry and exit of individuals using the Coga App have strictly limited access to personal data, which is only visible at the point of entry, to facilitate identity checks where needed. Only authorized personnel within Registered Venues have access to this data.
5. SMC, which is authorized to receive data about individuals who have visited a registered venue at the same time as someone with a SARS-CoV-2 (COVID-19) diagnosis for the purposes of contacting them.
6. Use of the CoGa App is optional. Registration via the CoGa App website and QR code creation is on the basis of your consent.
7. The website deploys two functional “cookies” (see further below) on the basis of our agreement to provide you with a QR code and our legitimate interest in maintaining the security of the processing.
8. The registration of venues, collection of data about the entry and exit of individuals using the CoGa App, and the transfer of relevant data to SMC takes place in accordance with the legal obligation on venues to collect data about those present and the public interest in preventing the spread of COVID-19.
9. Personal data is processed for the purposes of
10. On individuals using the CoGa App:
11. Registered Venues
13. Registered individuals and QR codes:
14. Data on Registered Venues and their visitors:
15. SMS data is deleted by CoGa App and the processors it uses to send the messages delete the data from their servers as soon as they have been delivered. The telecommunications networks which carry the messages may, however, retain the traffic and content data related to the SMS for up to six months in accordance with their data retention obligations under Swiss law. This is outside the control of CoGa.
16. Your data is encrypted in your QR code which is a two-dimensional barcode with the ability to encode data. The data is linked to the Registered Venues that you have visited when they scan your QR code. It is only decrypted and accessible by SMC if it is necessary for the purposes of contact tracing.
17. In the event that someone with a COVID-19 diagnosis is traced to a Registered Venue, SMC may request the disclosure of information from that Registered Venue concerning persons present at the same time. The Registered Venue may authorize the transfer of data concerning the relevant individuals, or request further information from the SMC if this is needed to validate the request.
18. Disclosure authorization allows SMC to access data on relevant individuals only: those present at the venue during the specified timeframe.
19. Information security is achieved through data segregation, robust access controls and encryption. The information security features, architecture and code base have been audited and verified by computer scientists at the University of Geneva.
20. Personal data is processed by the following entities, pursuant to the Data Controllers’ instructions:
21. The CoGa App website deploys the following strictly necessary cookies for the purposes of facilitating account creation and ensuring data security:
22. Pursuant to the Swiss Federal Data Protection Act (revised September 2020), individuals may have the following rights:
23. The design of the CoGa App imposes some practical limitations on the exercise of these rights. As noted above, for example, 2GIK and Registered Venues do not have access to entry-exit data, which is automatically deleted after 14 days. For further information, or to make data subject rights related requests or complaints contact:
24. You also have the right to lodge concerns or complaints with the relevant cantonal and municipal data protection authorities in Switzerland. Data subjects covered by EU law may also be entitled to lodge complaints with the data protection supervisory authority in their country of residence.
This Policy was published on 30 November 2020. It may be updated in future. We will maintain an accessible record of any such changes.