The cart is empty


what the GDPR provides

In order to analyze the profiles in the field of personal data processing connected to the systematic and large-scale monitoring of the location and / or contacts between natural persons, the EDPB starts from the shared premise that these are activities that can only be legitimized relying on voluntary adoption by users for each of their respective purposes.

The creation of applications for contact tracing must be based on the principles of accountability, limitation of processing purposes, minimization, data protection by design and by default and limitation in data retention.

In application of these principles, the applications in question should not involve the tracking of individual movements but rather use proximity information relating to users, they should prevent the re-identification of users and the information collected should reside in the user's terminal equipment.

In consideration of the fact that the operation of these applications involves the storage and / or access to information already stored in the user's terminal equipment, if these are operations that are strictly necessary to allow the application provider to make the service requested by the user, the consent of the latter is not required. Otherwise, the user's consent is required for processing operations that are not strictly necessary.

The EDPB observes how the processing of personal data necessary for the functioning of the applications in question could also be based on the need to perform a task of public interest or connected to the exercise of public authority vested in the data controller pursuant to art . 6, paragraph 1, lett. e) of the GDPR, if the service is provided by a public entity that operates on the basis of a mandate conferred by law and in compliance with the requirements set out in that law.

The use of tracking applications to combat the spread of COVID-19 could also involve the processing of personal data relating to health which, as such, are subject to the particular guarantees referred to in art. 9 of the GDPR. In this context, the processing of this type of personal data could be permitted as necessary for reasons of public interest in the public health sector under the conditions set out in art. 9, para. 2, lett. i) of the GDPR, or for health care purposes pursuant to art. 9, para. 2, lett. h) of the GDPR or could be based on the explicit consent of the interested party as required by art. 9, para. 2, lett. a) of the GDPR.

According to the EDPB, the use of contact tracking applications, even if carried out in compliance with the principles mentioned above, cannot replace the manual tracking of contacts carried out by qualified public health personnel. In fact, it is these subjects who will be able to establish with what probability close contacts will give rise to a transmission of the virus. Furthermore, operational instructions received from an individual who appears to have been in contact with COVID-19 positive individuals should not be based solely on automated processing.

Furthermore, the EDPB believes that: the algorithms used by the applications should be verifiable and subject to periodic review by independent experts, the source code should be made public and subsequent data and analyzes should be subject to correction.

Before the implementation of the tracking applications in question, taking into account the high risk for the rights and freedoms of individuals that their use entails, the data controller must carry out an impact assessment on data protection (" DPIA ") pursuant to art. 35 of the GDPR. The publication of the results of the DPIA is highly recommended by the EPDB.

Finally, the EDPB indicates the functional requirements for applications for contact tracing with particular reference to the identifiers used, the design according to a centralized or decentralized approach (the latter more compliant with the minimization principle), the information that must be collected from the servers involved in the tracking system, to the encryption techniques to be used to ensure the secure storage of data stored in the servers and applications and to the reporting techniques in the application of users infected with COVID-19.

The EDPB has also adopted a Guide for contact tracing applications, attached to the Guidelines 04/2020. This Guide aims to provide general guidance to designers and developers of tracing applications, emphasizing that each assessment must be made on a case-by-case basis.

To counter the spread of COVID-19, we offer innovative solutions for access control using facial recognition, body temperature measurement and contact tracking technologies in full respect of privacy. IntellyScan® is a registered trademark.

Follow Us