EDPB Statement – the interoperability of Covid 19 tracing apps
During the EDPB Plenary, organised remotely on the 16th of June 2020, the Statement referring to the interoperability of Covid 19 tracing apps, based on the Guidelines 4/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak.
The Statement underlines the need to respect the transparency and legality of the processing involved, the rights of users, the observance of the data minimisation principle and the need to ensure the confidentiality. Also, interoperability should not be used as a reason to extend the collection beyond what is necessary.
In this context, we reiterate that, on the 21st of April 2020, the European Data Protection Board adopted Guidelines 4/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak.
These Guidelines were brought to the attention of the general public through the ANSPDCP’s press release dated the 24th of April 2020, stating that it highlights the conditions and the principles of proportional use of location data in order to monitor the spread of the virus, respectively of the detection tools, in order to notify the persons close to other persons found to be infected. On this occasion, the Board emphasised that the use of these data should be done on a voluntary basis by each person and that the persons’ movements should not be monitored and that the principles of necessity and proportionality should be respected when determining the measures for this period.
As such, we draw the attention of the controllers/processors who intend to develop/implement location and tracking apps in the context of Covid 19 outbreak on the necessity to comply with the rules of data protection, with the general principles relating to the processing of personal data, in particular the principles of privacy by design and privacy by default, with the principle of ensuring the security and confidentiality, with the principle of accountability, as well as on the necessity to respect the Guidelines 4/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak.
Thus, we emphasize that, by these Guidelines, it has been established for the tracking apps not to involve the use of location data, but only proximity data, as well as the fact that it is necessary for the controller to perform a data protection impact assessment (DPIA) prior to the implementation of this type of application, pursuant to Article 35 of the GDPR, by taking into account the sensitive nature of personal data processed on a large scale.
Legal and Communication Department
ANSPDCP