10.15166/2499-8249/385
https://www.europeanpapers.eu/en/europeanforum/condizioni-ricavabili-dal-regolamento-generale-sulla-protezione-dei-dati-covid-19
2499-8249
Rugani, Gabriele
Gabriele
Rugani
Università di Pisa
Le condizioni ricavabili dal Regolamento generale sulla protezione dei dati per le applicazioni nazionali di tracciamento dei contatti: alcune considerazioni
Some Considerations on the Conditions Established by the GDPR for the National Tracing Apps
European Papers (www.europeanpapers.eu)
2020
COVID-19 and the EU
general data protection regulation (GDPR)
data protection
contact tracing apps
data minimisation
health data
2020-07-13
Research Centre for European Law, Unitelma Sapienza - University of Rome
ita
European Forum Insight
text/html
PDF
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
European Papers - A Journal on Law and Integration, 2020 5(1), 633-644
European Forum Insight of 13 July 2020
I. Introduzione. - II. La compatibilità generale delle applicazioni di tracciamento con il GDPR. - III. L'individuazione della "base giuridica" del trattamento e i limiti derivanti dalla stessa. - IV. I principi che regolano il trattamento: limitazione della finalità, minimizzazione, limitazione della conservazione. - V. Diritti dell'interessato e responsabilità del titolare del trattamento. - VI. Considerazioni conclusive.
In order to manage the COVID-19 pandemic, several EU Member States have decided to use contact tracing apps, which can display different characteristics: some of them rely on Bluetooth technology, while others on GPS location; some of them adopt a decentralised approach in data collection, while others a centralised approach. The present Insight focuses on the conditions that such apps must follow in order to be respectful of the General Data Protection Regulation (GDPR). First of all, it is necessary to choose a suitable legal basis for the processing, remembering that when sensitive data (such as health data) are collected the range of possibilities is even narrower. Depending on such choice, the processing is subject to different limits. Secondly, there are many principles which must be followed in any case, such as purpose limitation, data minimisation and storage limitation. Finally, the data subject must be put in a position to exercise his rights, and the data controller must fulfil obligations such as carrying out an impact assessment and adopting adequate security measures. Taking into consideration such conditions, it seems clear that according to the GDPR some contact tracing apps are more preferable than others, depending on their characteristics. In conclusion, it is possible to state that the GDPR balances public health and data protection by suggesting a graduality principle: the less privacy-invasive solution must be chosen, and it can be incremented only if the purposes cannot be sufficiently achieved. It is the only way to build trust in the users and therefore guarantee the effectiveness of the measures.