This post is also available in: Español

As a result of the COVID-19 pandemic, on April 21, the European Data Protection Board (“EDPB”) published two different guidelines: (i) Guidelines 03/2020 on the processing of health data for the purpose of scientific research, discussed in this other blog post; and (ii) Guidelines 04/2020 on the use of location data and contact tracing tools (“Guidelines”).

In these second guidelines, the EDPB underlines that the framework established by the General Data Protection Regulation 2016/679 (“GDPR”) is a flexible instrument and allows personal data processing if it is necessary to manage the pandemic, while also protecting individuals’ rights and freedoms.

However, the use of these location and contact tracing technologies must (i) always comply with the general principles of efficiency, need and proportionality, (ii) form part of a global public health strategy including other joint measures (detection tests, etc.), (iii) be voluntary, and (iv) not be based on tracing individual movements but on user proximity.

Considering the above, the EDPB

  • Always grants preference to the use of anonymized location data, understood as those that use a technique making it impossible to link the data with an identified or identifiable individual against any “reasonable effort”. This concept must not be confused with pseudonymization, as pseudonymized data remain within the scope of the GDPR. Location and tracing of movements can be closely interconnected and generate a unique pattern of data during a period of time that cannot be completely anonymized.
  • It considers systematic and large-scale monitoring of location or contacts between individuals a grave intrusion into their privacy, and it therefore understands that it can only be legitimized through voluntary adoption by the population for each of the respective purposes, with no disadvantages suffered should they decide not to use these applications.
  • Given that these applications involve storing information or accessing data already logged on the user’s terminal equipment, the basis (i) will require the user’s consent, unless the processing is necessary to render the service explicitly requested by the user. Furthermore, (ii) under the GDPR, it must have a legal basis envisaged in the GDPR, which may be performing a task carried out in the public interest when the service is provided by public authorities and it is established by Union or, in our case, Spanish law (Article 6.1.e) of the GDPR). (iii) If it includes revealing personal data on health, the legal bases relating to the special data categories must also be adhered to (Article 9.2 of the GDPR).
  • It is also necessary:
    • To clearly define who is the controller and the duties and liabilities of each of the agents or participants. In the EDPB’s opinion, the data controller will be the health care authorities.
    • To define and specify the purposes of the processing, excluding any subsequent processing for purposes not related to managing the crisis.
    • To use proximity data, and not to monitor the user’s individual location.
    • To establish appropriate measures to prevent users being reidentified.
    • To log information on the user’s terminal equipment and only collect it when absolutely necessary.
    • To perform an impact assessment, which the EDPB recommends be published.
    • To support the supervision and manual contact tracing performed by qualified health care staff.
    • To conduct the audit of the algorithms and their regular review by independent experts, in which the source code must be made public.
    • To only include unique identifiers and pseudonyms, regularly generated and renewed.
    • Not to identify the infected user to the other users or the data controller.
    • To only communicate an infection with the user’s prior consent and after applying a verification method by which it can be stated that the person is effectively infected before issuing the notice.

The EDPB ends the Guidelines offering a series of general recommendations for those responsible for designing and implementing contact tracing applications.

Authors: Alejandro Negro and Adaya Esteban

This post is also available in: Español



58 artículos

Alejandro Negro



69 artículos