THE GOVERNMENT AND PUBLIC BODIES IN CHARGE OF THE PANDEMIC PUSH COSMETICS AND HAIRDRESSER PARLORS TOWARDS VIOLATION OF THE GDPR AND UNNECESSARY FINANCIAL SANCTIONS
Recommendations for the work of cosmetics and hairdresser parlours, issued by the Croatian Institute of Public Health, as well as forms for collecting data of clients issued by the Chamber of Trades and Crafts, violate the most basic principles of the GDPR. Therefore, those who follow them risk severe financial penalties. The alarming scale of violations of the legal framework is a cause for justified and deep concern of the public and citizens.
Duje Prkut, executive director of the Politiscope, points out that the risk of drastic financial penalties is the main reason why Politiscope decided to react publicly: „The proposed model of data collection in parlours is illegal on several levels, but the main issue is that parlours refused to provide service to clients who would not give consent. Most severe financial sanctions are prescribed for such denial of a service. It is striking that Croatian Institute for Public Health does not know the basics of data protection, and it still dares to provide recommendations for salons that push them in an unnecessary risk of most severe financial sanctions.
Politiscope has already warned of the Government's gross violation of GDPR when it launched „digital assistant Andrija“ without a privacy policy - while the policy had serious omissions once it was published. The government’s amendments to the Law on Electronic Communications, withdrawn due to unanimous public criticism, were yet again additional proof that the Government does not have the capacity to design and implement legal and legitimate data processing systems, in which the public health protection will not be poised against citizens' rights. The government's negligence towards data protection is now duly followed by other public bodies, which, unlike private companies, do not have to fear financial penalties.
Duje Kozomara, Deputy Executive Director of Politiscope and a personal data protection expert, was among the first to warn of illegal recommendations issued to hairdressing, pedicure and tattoo parlors. He considers the form sent to parlors by the Croatian Chamber of Trades and Crafts particularly problematic: “It was hard to believe that the Croatian Chamber of Trades and Crafts went beyond the already illegal recommendations of the Health Institute and advised parlors to collect information on an even larger scale. The Chamber advised parlors to collect the client's personal data on their movement outside of the parlor and even the information regarding their personal health. It takes only one client to report the parlor to the competent supervisory authority - which would be a serious problem since, most likely, none of them have a Privacy policy or a data protection officer and at the same time they denied services to those who would not provide consent. It's a dream recipe for a serious financial penalty."
Politiscope, an association focused on privacy, points out that there is justified public interest for the state to collect sensitive data from citizens during a pandemic, even without their consent. However, in that case, the processing must be prescribed by law, the scope of data collected must be clearly defined, the processing must be temporary, proportional and necessary, and appropriate technical protection measures must be taken, with full transparency to respondents about the processing of their data. Main public bodies in charge of managing the pandemic have opted for press conferences and voluntary instructions and guidelines - when it comes to the processing of citizens' data, this approach is simply unacceptable and illegal.
BRIEF ANALYSIS OF CROATIAN PUBLIC HEALTH INSTITUTE RECOMMENDATIONS FOR THE WORK OF COSMETIC AND MASSAGE PARLORS, TATTOO AND PIERCING SALONS, PHYSIOTHERAPISTS, MANICURE AND PEDICURE SALONS
- The instruction is insufficiently clear and lacks the whole set of information necessary for salons not to violate a number of obligations of the General Data Protection Regulation: the legal basis for such processing is not fully clarified, technical or organizational data protection measures are not recommended, salons are not indicated to change their Privacy Policy.
- The legal force of a recommendation? The conclusion is that in order to achieve the goal that the CIPH wants to achieve, the most appropriate legal basis for data collection and processing would be the legal obligation of the salon, but for this to be met, the act must have stronger legal force than the "Recommendation".
- By using the term “consent” for collecting the data, the recommendation suggests that the salon should seek the consent of the data subjects, while at the same time emphasizing that the service should be denied to those who do not give consent. Consent must be voluntary and must not be a condition of the provision of the service.
- It is not clearly defined which public authority is the recipient of the data, nor whether that body has a new Privacy notice, given the new category of data they are starting to collect - or whether it has a document at all to provide the necessary information to the data subject.
- No instructions have been issued for signing an agreement on the exchange of such data with “epidemiologists”, the CNIPH, or some third unknown public body, which would define the rights and obligations of the data controller and the data processor.
- The period for keeping such data is not defined.
BRIEF ANALYSIS OF THE CHAMBER OF CRAFTS AND TRADE FORM FOR COLLECTING DATA OF CLIENTS ISSUED TO „ALL CRAFTSMAN WHO WORK IN SERVICE INDUSTRIES WHERE PHYSICAL CONTACT IS EXTENDED“
- The form collects a wider scope of data than those proscribed by the recommendations of the Croatian Institute for Public Health: name, last name, year of birth, address of residence, signature, confirmation a person had not been in self-isolation or went across the Croatian border, and even the data related to health (presence of symptoms of respiratory infections and/or high temperature).
- Collection of all listed data violates the „data minimisation” and „ lawfulness“ principles, since there is no clear lawful basis for the processing of all that personal data.
- Personal data related to health belong to special categories of personal data and a special set of technical and organizational measures have to be applied. The Chamber failed to provide advice on the issue, or any clear instructions.
- By using the form, the salon is forced to ask for the consent of the client for data processing - and CIPH emphasizes that it must not provide the service without consent, which pushes salons towards violating basic consent conditions.
FINANCIAL SANCTIONS:
- For violations of basic GDPR rules, which also include violations of consent conditions (as is the case here), the Regulation prescribes financial sanctions up to 20 million euros or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Photo: Politiscope