Series on Data Protection and Corona – Part 2: Data processing in connection with the coronavirus

20. March 2020

In the course of the coronavirus, the employer is in a field of tension between, on the one hand, the protection of his own employees, the safeguarding of the operational procedures and the containment of the pandemic, and, on the other hand, the requirements that are placed on him in regard to data processing, in particular the processing of health data.

Some may not consider compliance with data protection requirements to be of paramount importance in the current situation.

Nevertheless, the data processing, especially the processing of sensitive data, should comply with the data protection requirements of the DSGVO and national data protection implementation law.

In Part 1 of the series we gave you a short overview on statements of the European Data Protection Authorities (DPA), which have been published by now. With this blog post we want to inform you on data processing in connection with the coronavirus.

Measures required by data protection law

The necessary measures to be observed and carried out in case of data processing relating to coronavirus do not differ fundamentally from those which must also be taken in any other data processing. The statements of the DPAs also do not indicate any relaxation with regard to data protection regulations.

These required measures include, among others:

  • the comprehensive information of the concerned data subjects according to Art. 13 (in this context, reference is already made to tomorrow’s article, which deals with this topic in detail),
  • the secure storage of personal data – further information on this will follow in the course of this article,
  • the maintenance of a records of processing activities pursuant to Art. 30 para. 1 GDPR.

Secure storage of personal data

If the data processing is based on a legal basis from Art. 9 para. 2 DSGVO several data security measures must be taken into account to ensure the security of the data processing.

Without claiming to be exhaustive, the following measures will be discussed here, with examples given:

  • Sensitisation of those involved in processing operations;
    • data protection training of the employees involved in data processing,
    • raising awareness of the particular importance of sensitive data, such as health data,
    • Reference to compliance with data protection standards, even in times of the Corona crisis.
  • Designation of a data protection officer;
    • if you are unsure whether and how you process personal data, appoint a data protection officer,
    • o If you have already appointed a data protection officer, please contact him or her and ask for support.
  • Restriction of access to personal data within the responsible body and by contract processors;
    for example, through:

    • Introduction of an access concept and adherence to the ‘need-to-know principle’ – make sure that the circle of people with access rights is as small as possible,
    • Locked storage of paper-bound documents, e.g. in a safe or at least a lockable cabinet (the power of the keys should of course also be limited),
    • Password-protected digital documents (restrictive passing on of the password under consideration of the ‘need-to-know principle’).

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Tips for Information Notices”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 1: Statements of the European Data Protection Authorities

19. March 2020

The Coronavirus is omnipresent at the moment and affects each and every one of us.

Even if it is not obvious at first, data protection and the Coronavirus certainly have points of contact, namely when personal data is processed in relation to the virus. This can be the case both in the employment context and also in relation to visitors and suppliers to a company. For example, in order to protect their own employees, one company may conduct access controls at the entrance to the company’s premises, while another company may ask their own employees about symptoms of the virus.

We would like to discuss these and other topics related to “Data Protection and Corona” with you in the next few days.

Today we would like to start this series by summarising the statements made so far by various European data protection authorities.

Legal basis for processing

The legal basis for the respective collection or processing of personal data within ann EU context can be found in the EU General Data Protection Regulation (GDPR) in conjunction with the respective national/state data protection laws and technical laws.

The legal basis for processing personal data follows from Art. 6 GDPR and for processing sensitive personal data, like health data, from Art. 9 GDPR.

Consent, pursuant to Art. 6 para. 1 s. 1 lit. a) GDPR and Art. 9 para. 2 lit. a) GDPR, should only be used as a legal basis if the data subjects have been fully informed about the data processing and have given their voluntary consent to a measure.

For the processing of personal employee data by public employers, the legal basis will be Art. 6 para. 1 s. 1 lit. e) GDPR. In this case, the data protection authorities recognise a measure in the public interest. Non-public employers act within the scope of their obligations arising from the employment relationship, Art. 6 para. 1 s. 1 lit. f) GDPR. In this context, special regulations from a member state’s collective bargaining law, labour law and social law may also need to be consulted. In the case of sensitive data processing the escape clause of Art. 9 para. 2 lit. b) GDPR in conjuction with the respective member state law must be observed.

In relation to processing the personal data of third parties, e.g. guests or visitors, measures taken by public authorities must be based on Art. 6 para. 1 s. 1 lit. c) and e) GDPR, and if necessary, in conjunction with the respective member state laws. For measures taken in the non-public sector, Art. 6 para. 1 s. 1 lit. f) may serve as a legal basis. When processing sensitive data of third parties, Art. 9 para. 2 lit. i) in conjunction with member state laws may be applicable.

List of Statements

In the following, we provide you a comprehensive list of statements made by various European data protection authorities on the processing of personal data in light of the Coronavirus up to this point:

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Data Protection in connection with the coronavirus”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

CNIL announces focus for Control Procedures in 2020

16. March 2020

The french Commission Nationale de l’Informatique et des Libertés (CNIL) has announced their focus in regards to the Control Procedures they intend to take in 2020.

Out of 300 Control Procedures done in one year, in 2020 at least 50 of those are going to be focused on three prioritized themes: health data security, geolocation and cookies compliance. The CNIL decided on prioritizing these areas because of the high relevance all of them have on the daily life of the french citizens.

Especially in regards to health data because of the sensitive nature of the data collected, as well as geological data, due to the never ending new solutions to transportation or enhancements to daily life, it is important to keep an eye on the scope of the data processing and the private sphere which is affected.

Regarding cookies and other tracers, CNIL continues to underline the importance in regards to profiled advertisement. On top of the planned Control Procedures, the CNIL intends to publish a recommendation in the spring of 2020 with regards to cookies. It will keep an eye on the implementation of the recommendation, and give companies a 6 months period to adjust and implement them.

The CNIL also stated that in addition they will continue to work together with other national Data Protection Authorities, in order to ensure the regulation of transnational data processing.

Greek Data Protection Authority releases Guidance on Cookies

On 25 February 2020, the Hellenic Data Protection Authority (DPA) published a guidance on Cookies and other tracking tools. Previously, the Authority had found that Greek websites and service providers have been largely failing to comply with the rules on the use of Cookies and other trackers set out by the ePrivacy Directive and the GDPR, and reaffirmed by the European Court of Justice’s ruling on Planet 49.

The guidance states that it will be relevant to HTTP/S Cookies, Flash Cookies, local storage applying to HTML 5, device fingerprinting, OS identifiers, and material identifiers.

The Greek DPA reiterated that, generally, providers are obliged to obtain the user’s consent if they are using any tracking tools – irrespective of whether the processing of personal data is taking place. It also outlined that technically necessary trackers are exempt from the obligation to consent. Furthermore, the guidance goes into detail on how information and consent can be made available on websites specifically.

Lastly, the Authority has given Greek website providers a grace period of two months to implement the provisions of this guidance and thereby become compliant with the European rules on tracking tools.

EDPB publishes GDPR Implementation Review

The European Data Protection Board (EDPB) released a review dated from February 18th, in a contribution to the evaluation of the General Data Protection Regulation (GDPR), which has reached its 20th month of being in effect.

Overall, the EDPB stated that it has a positive view of the implementation of the legislation in the different European Countries over the past 20 months. Furthermore, it deems a revision of the legislative text as likely, but not yet necessary in the near future.

The EDPB praised the Data Protection Authorities and their work up til now, saying it hopes that the cooperation between them will create a common data protection culture and consistent monitoring practices. But the report also mentioned that Supervisory Authorities in the countries face restrictions due to different national procedures and practices, which can hinder the cooperation. Furthermore, the EDPB sees a need to increase the funding for Supervisory Authorities to improve and support their duties.

On another note, the EDPB has acknowledged the challenges of implementation for Small to Medium sized Enterprises (SMEs). It says it is aware of these challenges, and works together with Supervisory Authorities to facilitate the supporting tools they have put out in order to support SMEs.

Lastly, it raised concerns about the timeframe of the new ePrivacy Regulation, and urged lawmakers to bundle their focus and efforts to carry on with its development.

Dutch DPA fines Tennis Association

12. March 2020

The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association (“KNLTB”) with EUR 525,000 for selling personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes.

In 2018, the KNLTB illegally provided personal data of its members to two sponsors for a fee. One sponsor received personal data from 50,000 members and the other sponsor from more than 300,000 members. It turned out that the KNLTB sold personal data such as name, gender and address to third parties without obtaining consent of the data subjects.

The KNLTB found that it had a legitimate interest in selling the data. However, the data protection authority rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors. The KNLTB has objected to the fine decision. The Dutch Data Protection Authority will assess this.

 

 

German Robert-Koch-Institute discusses mobile phone tracking to slow down the spreading of the Coronavirus

9. March 2020

According to a news report by the German newspaper “Der Tagesspiegel”, a small group of scientists at the Robert-Koch-Institute (RKI) and other institutions are currently discussing the evaluation and matching of movement data from mobile phones to detect people infected with the Coronavirus (COVID-19).

The scientists, who are trying to slow down the spreading of the disease, complain about the problem of the time-consuming and vague questionings of infected people on who they came in contact with. The evaluation and matching of mobile phone data may be more accurate and could speed up the process of identifying infected people, which could be essential for saving lives.

In a comment, the German Federal Commissioner for Data Protection Ulrich Kelber expressed that this procedure may cause large data protection issues, especially with regards to having a legal basis for processing and the proportionality of processing according to the GDPR.

Belgian DPA releases Direct Marketing Recommendation

4. March 2020

On February 10, 2020, Belgium’s Data Protection Authority (the Belgian DPA) has released their first recommendation of 2020 in relation to data processing activities for direct marketing purposes.

In the recommendation the Belgian DPA addressed issues and action proposals in regards to the handling of direct marketing and the personal data which is used in the process. It emphasized the importance of direct marketing subjects in the upcoming years, and stated that the DPA will have a special priority in regards to issues on the matter.

In particular, the recommendation elaborates on the following points, in order to help controllers navigate through the different processes:

  • The processing purposes must be specific and detailed. A simple mention of “marketing purposes” is not deemed sufficient in light of Art. 13 GDPR.
  • It is important to guarantee data minimization, as the profiling that accompanies direct marketing purposes calls for a careful handling of personal data.
  • The right to object does not only affect the direct marketing activities, but also the profiling which takes places through them. Furthermore, a simple “Unsubscribe” button at the end of a marketing E-Mail is not sufficient to withdraw consent, it is rather recommended to give the data subject the opportunity to a granular selection of which direct marketing activities they object to.
  • Consent cannot be given singularly for all channels of direct marketing. A declaration for each channel has to be obtained to ensure specification towards content and means used for direct marketing.

The Belgian DPA also stated that there are direct marketing activities which require special attention in the future, namely purchasing, renting and enriching personal data, e.g. via data brokers. In such cases, it is necessary to directly provide appropriate information to the data subject in regards to the handling of their data.

Further topics have been brought forth in the recommendation, which overall represents a thorough proposal on the handling of direct marketing activities for controller entities.

EDPS publishes opinion on future EU-UK partnership

3. March 2020

On 24 February 2020, the European Data Protection Supervisor (EDPS) published an opinion on the opening of negotiations for the future partnership between the EU and the UK with regards to personal data protection.

In his opinion, the EDPS points out the importance of commitments to fully respect fundamental rights in the future envisaged comprehensive partnership. Especially with regards to the protection of personal data, the partnership shall uphold the high protection level of the EU’s personal data rules.

With respect to the transfer of personal data, the EDPS further expresses support for the EU Commission’s recommendation to work towards the adoption of adequacy decisions for the UK if the relevant conditions are met. However, the Commission must ensure that the UK is not lowering its data protection standard below the EU standard after the Brexit transition period. Lastly, the EDPS recommends the EU Institutions to also prepare for a potential scenario in which no adequacy decisions exist by the end of the transition period on 31 December 2020.

The Government of India plans one of the largest Facial Recognition Systems in the World

14. February 2020

The Indian Government released a Request for Proposal to bidder companies to procure a national Automated Facial Recognition System (AFRS). AFRS companies had time to submit their proposals until the end of January 2020. The plans for an AFRS in India are a new political development amidst the intention to pass the first national Data Protection Bill in Parliament.

The new system is supposed to integrate image databases of public authorities centrally as well as incorporate photographs from newspapers, raids, mugshots and sketches. The recordings from surveillance cameras, public or private video feeds shall then be compared to the centralised databases and help identify criminals, missing persons and dead bodies.

Human rights and privacy groups are pointing to various risks that may come with implementing nationwide AFRS in India, including violations of privacy, arbitrariness, mis-identifications, discriminatory profiling, a lack of technical safeguards, and even creating an Orwellian 1984 dystopia through mass surveillance.

However, many people in India are receiving the news about the plans of the Government with acceptance and approval. They hope that the AFRS will lead to better law enforcement and more security in their everyday lives, as India has a comparably high crime rate and only 144 police officers for every 100.000 citizens, compared to 318 per 100.000 citizens in the EU.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 44 45 46 Next
1 2 3 4 5 46