The panel of data protection authorities of the member states of the European Union (the European Data Protection Board – EDPB) released an opinion on the interoperability guidelines for contact tracing mobile applications in the EU, adopted by the eHealth network, in the combat against the spread of the Coronavirus.
The EDPB reiterates that the use of contract tracing applications relies on the processing of pseudonymized personal data and disclosure of that personal data should only be triggered by voluntary action of the user.
The EDPB recognizes that the interoperability of contact tracing applications within the member states of the European Economic Area (EEA) may increase their effectiveness, promoting the traceability of more human COVID-19 contacts. This is especially true for individuals in border regions that may be exposed to many people from other EEA member states. However, the EDPB is concerned that due to the differences between the approaches in member states, implementing interoperability would prove infeasible without disproportionate trade-offs of data.
The EDPB believes that any operation or set of operations that pursue the purpose of ensuring the interoperability in addition to the processing for the functionality of applications is considered a separate processing activity in its own right, for which the interoperating parties may either be distinct or joint controllers. The parties’ roles need to be clearly defined and communicated to the data subject and this may also affect the scope of the Data Protection Impact Assessment (DPIA) that needs to be performed.
Finally, the EDPB reiterates that the GDPR’s principles of transparency, the legal basis for processing, data subjects’ rights, data retention and minimization, and data security measures – all apply and must be taken into consideration in this type of processing.
CLICK HERE to read the EDPB statement.