Protection of Personal Data vs. Citizen’s Health
Currently, enormous pressure is being exerted by cities, municipalities and other public authorities on the Slovak Republic`s Public Health Authority (the top body for the regional public health authorities which manages and coordinates their execution of state administration). This is because they have an interest in obtaining and utilizing relevant and necessary information about their corona infected residents or residents in quarantine, in order to ensure public order, the protection of public health and in order to limit the further spread of the corona virus.
This issue has been dealt with by the Slovak Republic`s Office for Personal Data Protection (hereinafter referred to as the “OPDP”), which is a supervisory authority within the meaning of Article 51 of the General Data Protection Regulation (GDPR). In relation to the above-mentioned, the Office has taken the position that in a situation such as this, it is important to bear in mind that to obtain, provision and subsequently process data relating to the health of natural persons requires that Slovak law permits such processing of information and that even in these exceptional times, the controller and the processor must ensure the protection of the personal data of the data subjects.
According to the OPDP, information about the quarantine or infection of a specific person (a resident of a municipality or a town) which states their exact identification is a special category of personal data, and it is therefore necessary for all of the interested parties (the Slovak Republic`s Public Health Authority, municipalities and other public authorities) to establish that there is a relevant legal basis (given under the law or by a legal provision).
The lawful processing of a specific category of personal data (for example, data of a specific person in quarantine or infected) can only be carried out, if at least one of the additional conditions for processing under Article 9 (1) of GDPR is fulfilled and at the same time, it is always necessary to have a legal basis for processing under Article 6 (1) GDPR.
According to Article 9 (2) letter (g) of GDPR it is necessary that such conditions are laid down in a generally binding legislation which stipulates appropriate and specific measures to protect the rights and freedoms of the data subject (for example, through government legislation).
According to Article 23 GDPR, such legal basis, or a legislative measure in connection with recital 41 GDPR, does not necessarily require a legislative act adopted by a national parliament (for example, in the Slovak Republic a law or a constitutional law). Nonetheless, in the light of the opinion of the OPDP, such a legal basis or legislative measure adopted and approved for the intended purpose must at least have the following attributes:
- compliance with the requirements of the legal order of the Slovak Republic;
- be clear, precise and foreseeable to data subjects - in accordance with the case-law of the Court of Justice of the European Union and the European Court of Human Rights.
In the opinion of the OPDP a legal basis must have such qualities that safeguard the preservation of a democratic and constitutional system and will also be observable from the outside. This is necessary for such a fundamental entrance into the privacy and personal data of the data subject of such a sensitive nature. Only by ensuring the above-described safeguards in written form, is it then possible to guarantee that the intervention will be limited as a whole, limited in time and not open to exploitation. At the same time, Slovakia will also demonstrate the maintenance of these appropriate safeguards outwardly, in particular to those concerned.
Thus, if a municipality adopts a measure without implementing a government order, the OPDP considers that this is a breach of the municipality`s competencies and non-compliance with GDPR. According to the OPDP, this conclusion is evidenced by the fact that such municipalities and towns are not guaranteeing the protection of the privacy of the data subjects of the municipality in accordance with the Art. 9 (2) (g) GDPR in fine.
In the light of the above-mentioned conclusions of the OPDP, it should be noted that the rules of GDPR do not preclude measures taken to fight the corona virus pandemic. What is more, GDPR within the meaning of Art. 23 allows restriction in the scope of the relevant obligations and rights within GDPR by way of legislative measures. However, these restrictions and the subsequent processing of personal data must include safeguards to prevent misuse of the data, unlawful access or its transmission, and guarantee the protection of the privacy of the data subjects. Only then, according to the OPDP, is it possible for municipalities to process this special category of their inhabitant`s personal data in accordance with GDPR.
Despite the fact that the priority interest of society is to limit the spread of the corona virus, it is still necessary to ensure the protection of the personal data of those persons concerned. It is therefore important to take into account several factors in order to guarantee the lawful processing of personal data, and in all cases it should be remembered that any measure taken in this context must respect general legal principles.
Article provided by: Miroslav Chlipala and Stefan Pilar (Bukovinský & Chlipala, Slovakia)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)