THE GOVERNMENT AND PUBLIC BODIES IN CHARGE OF THE PANDEMIC PUSH COSMETICS AND HAIRDRESSER PARLORS TOWARDS VIOLATION OF THE GDPR AND UNNECESSARY FINANCIAL SANCTIONS
Recommendations for the work of cosmetics and hairdresser parlours, issued by the Croatian Institute of Public Health, as well as forms for collecting data of clients issued by the Chamber of Trades and Crafts, violate the most basic principles of the GDPR. Therefore, those who follow them risk severe financial penalties. The alarming scale of violations of the legal framework is a cause for justified and deep concern of the public and citizens.
Duje Prkut, executive director of the Politiscope, points out that the risk of drastic financial penalties is the main reason why Politiscope decided to react publicly: „The proposed model of data collection in parlours is illegal on several levels, but the main issue is that parlours refused to provide service to clients who would not give consent. Most severe financial sanctions are prescribed for such denial of a service. It is striking that Croatian Institute for Public Health does not know the basics of data protection, and it still dares to provide recommendations for salons that push them in an unnecessary risk of most severe financial sanctions.
Politiscope, an association focused on privacy, points out that there is justified public interest for the state to collect sensitive data from citizens during a pandemic, even without their consent. However, in that case, the processing must be prescribed by law, the scope of data collected must be clearly defined, the processing must be temporary, proportional and necessary, and appropriate technical protection measures must be taken, with full transparency to respondents about the processing of their data. Main public bodies in charge of managing the pandemic have opted for press conferences and voluntary instructions and guidelines - when it comes to the processing of citizens' data, this approach is simply unacceptable and illegal.
BRIEF ANALYSIS OF CROATIAN PUBLIC HEALTH INSTITUTE RECOMMENDATIONS FOR THE WORK OF COSMETIC AND MASSAGE PARLORS, TATTOO AND PIERCING SALONS, PHYSIOTHERAPISTS, MANICURE AND PEDICURE SALONS
- The legal force of a recommendation? The conclusion is that in order to achieve the goal that the CIPH wants to achieve, the most appropriate legal basis for data collection and processing would be the legal obligation of the salon, but for this to be met, the act must have stronger legal force than the "Recommendation".
- By using the term “consent” for collecting the data, the recommendation suggests that the salon should seek the consent of the data subjects, while at the same time emphasizing that the service should be denied to those who do not give consent. Consent must be voluntary and must not be a condition of the provision of the service.
- It is not clearly defined which public authority is the recipient of the data, nor whether that body has a new Privacy notice, given the new category of data they are starting to collect - or whether it has a document at all to provide the necessary information to the data subject.
- No instructions have been issued for signing an agreement on the exchange of such data with “epidemiologists”, the CNIPH, or some third unknown public body, which would define the rights and obligations of the data controller and the data processor.
- The period for keeping such data is not defined.
BRIEF ANALYSIS OF THE CHAMBER OF CRAFTS AND TRADE FORM FOR COLLECTING DATA OF CLIENTS ISSUED TO „ALL CRAFTSMAN WHO WORK IN SERVICE INDUSTRIES WHERE PHYSICAL CONTACT IS EXTENDED“
- The form collects a wider scope of data than those proscribed by the recommendations of the Croatian Institute for Public Health: name, last name, year of birth, address of residence, signature, confirmation a person had not been in self-isolation or went across the Croatian border, and even the data related to health (presence of symptoms of respiratory infections and/or high temperature).
- Collection of all listed data violates the „data minimisation” and „ lawfulness“ principles, since there is no clear lawful basis for the processing of all that personal data.
- Personal data related to health belong to special categories of personal data and a special set of technical and organizational measures have to be applied. The Chamber failed to provide advice on the issue, or any clear instructions.
- By using the form, the salon is forced to ask for the consent of the client for data processing - and CIPH emphasizes that it must not provide the service without consent, which pushes salons towards violating basic consent conditions.
- For violations of basic GDPR rules, which also include violations of consent conditions (as is the case here), the Regulation prescribes financial sanctions up to 20 million euros or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.