Tag: UODO

No obligation to disclose vaccination certificates at events in Poland

7. July 2021

According to recent announcements, the Polish Personal Data Protection Office (UODO) has indicated that vaccinated individuals participating in certain events cannot be required to disclose evidence of vaccination against COVID-19.

In Poland, one of the regulations governing the procedures related to the prevention of the spread of coronavirus is the Decree of the Council of Ministers of May 6th, 2021 on the establishment of certain restrictions, orders and prohibitions in connection with the occurrence of an epidemic state. Among other things, it sets limits on the number of people who can attend various events which are defined by Sec. 26 para. 14 point 2, para. 15 points 2, 3. The aforementioned provisions concern events and meetings for up to 25 people that take place outdoors or in the premises/building indicated as the host’s place of residence or stay as well as events and meetings for up to 50 people that take place outdoors or in the premises/separate food court of a salesroom. Pursuant to Sec. 26 para. 16, the stated number of people does not include those vaccinated against COVID-19.

In this context the question has arisen how the information about the vaccination can be obtained. As this detail is considered health data which constitutes a special category of personal data referred to in Art. 9 para. 1 GDPR, its processing is subject to stricter protection and permissible if at least one of the conditions specified in para. 2 is met. This is, according to Art. 9 para. 2 lit. i GDPR, especially the case if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

The provisions of the Decree do not regulate the opportunity of requiring the participants in the mentioned events to provide information on their vaccination against COVID-19. Hence, it is not specified who may verify the evidence of vaccination, under what conditions and in what manner. Moreover, “specific measures to safeguard” as referred to in Art. 9 para. 2 lit. i GDPR, cited above, are not provided as well. Therefore, the regulations of the Decree cannot be seen as a legal basis authorizing entities obliged to comply with this limit of persons to obtain such data. Consequently, the data subjects are not obliged to provide it.

Because of this, collection of vaccination information can only be seen as legitimate if the data subject consents to the data submission, as the requirement of Art. 9 para. 2 lit. a GDPR will be fulfilled. Notably, the conditions for obtaining consent set out in Art. 4 para. 11 and Art. 7 GDPR must be met. Thus, the consent must be voluntary, informed, specific, expressed in the form of an unambiguous manifestation of will and capable of being revoked at any time.

Category: Coronavirus · COVID-19-Virus · Data Protection · European Union · GDPR · Personal Data
Tags: , , , , , ,

A short review of the Polish DPA’s enforcement of the GDPR

10. January 2020

To date, the Polish Data Protection Authority (DPA) have issued 134 decisions and imposed GDPR fines in 5 cases. In 4 cases, the Polish DPA fined private companies and in one case, it fined a public institution.

The fines for the companies ranged from 13.000€ to 645.000€. Reasons for the fines were failures in protecting personal data on websites resulting in the unauthorised access of personal data, inadequate technical and organisational measures, and an insufficient fulfilment of information obligations according to Art. 14 GDPR.

It is also noteworthy that the Polish DPA has imposed a 9.350€ fine on the Mayor of a Polish small town. Under Art. 83 (7) GDPR, each member state of the EU may lay down rules on whether and to what extent administrative fines may be imposed on public authorities. The Polish legislators decided that non-compliant public authorities may receive a GDPR fine of up to 23.475€.

The Mayor received the GDPR fine since he failed to conclude a data processing agreement with the entities to which he transferred data in violation of Art. 28 (3) GDPR. Moreover, the Mayor violated the principle of storage limitation, the principles of integrity and confidentiality, the principle of accountability and furthermore kept an incomplete record of processing activities.

Recently, the Polish DPA also published the EU Project T4DATA’s Handbook for Data Protection Officers (DPO) in order to help define a DPO’s role, their competencies and main responsibilities.

Category: EU · GDPR · General Data Protection Regulation · Personal Data
Tags: , , , , , , , , ,