Successful management of the Coronavirus pandemic implies the establishment of new practices of collecting sensitive data of citizens to preserve public health. Politiscope monitored pandemic practices of data collection and processing to detect possible and likely violations of fundamental rights.
The key issue detected by the analysis is the lack of a separate legal framework for collecting and processing personal data in order to protect public health. In given circumstances, citizens’ data can be collected and processed without their consent, but recital 45. of the GDPR clearly defines the obligation to create a separate legal framework that defines all relevant elements of the processing. Considering pandemic data processing also includes the category of sensitive data, the obligation for creation of a separate legal framework stated in recital 52. also applies. Although the agency regularly refers pandemic data controllers to national laws as the lawful basis for data collection (for example, laws governing the work of schools), none of the existing laws contains all the necessary elements prescribed by Recital 45 of the Regulation (such as the categories of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing). It is not surprising this legal mess led to dangerous and illegal instruction given to parlors and salons by the Croatian Institute for Public Health, while the schools conducted illegal processing of pupils’ data.
PHOTO: Electronic Frontier Foundation