Le condizioni ricavabili dal Regolamento generale sulla protezione dei dati per le applicazioni nazionali di tracciamento dei contatti: alcune considerazioni

• Main Author: Gabriele Rugani
• Format: Article
• Language: English
• Published: European Papers (www.europeanpapers.eu) 2020-07-01
• Series: European Papers
• Subjects: covid-19 and the eu; general data protection regulation (gdpr); data protection; contact tracing apps; data minimisation; health data
• Online Access: https://www.europeanpapers.eu/en/europeanforum/condizioni-ricavabili-dal-regolamento-generale-sulla-protezione-dei-dati-covid-19

(Series Information) European Papers - A Journal on Law and Integration, 2020 5(1), 633-644 | European Forum Insight of 13 July 2020 | (Table of Contents) I. Introduzione. - II. La compatibilità generale delle applicazioni di tracciamento con il GDPR. - III. L'individuazione della "base giuridica" del trattamento e i limiti derivanti dalla stessa. - IV. I principi che regolano il trattamento: limitazione della finalità, minimizzazione, limitazione della conservazione. - V. Diritti dell'interessato e responsabilità del titolare del trattamento. - VI. Considerazioni conclusive. | (Abstract) In order to manage the COVID-19 pandemic, several EU Member States have decided to use contact tracing apps, which can display different characteristics: some of them rely on Bluetooth technology, while others on GPS location; some of them adopt a decentralised approach in data collection, while others a centralised approach. The present Insight focuses on the conditions that such apps must follow in order to be respectful of the General Data Protection Regulation (GDPR). First of all, it is necessary to choose a suitable legal basis for the processing, remembering that when sensitive data (such as health data) are collected the range of possibilities is even narrower. Depending on such choice, the processing is subject to different limits. Secondly, there are many principles which must be followed in any case, such as purpose limitation, data minimisation and storage limitation. Finally, the data subject must be put in a position to exercise his rights, and the data controller must fulfil obligations such as carrying out an impact assessment and adopting adequate security measures. Taking into consideration such conditions, it seems clear that according to the GDPR some contact tracing apps are more preferable than others, depending on their characteristics. In conclusion, it is possible to state that the GDPR balances public health and data protection by suggesting a graduality principle: the less privacy-invasive solution must be chosen, and it can be incremented only if the purposes cannot be sufficiently achieved. It is the only way to build trust in the users and therefore guarantee the effectiveness of the measures.