The Croatian Data Protection Authority (DPA) have released guidance on the processing of personal data concerning COVID-19. For an organization to process COVID-19 related data, a legal basis must be laid down in EU or Croatian law. The aspects that are being looked into is the Decision of the Civil Protection Headquarters of the Republic of Croatia to inspect the EU COVID certificate upon entering official premises. And the legal basis for storing employee data during the use of an EU COVID certificate.
GDPR stipulates that processing is lawful only if the processing meets certain stipulations. The main one that is relevant to this type of processing is:
- Processing is necessary for the performance of a task in the public interest or in the exercise of the official authority of the controller.
The Act on the Protection of the Population from Infectious Diseases stipulates that measures determined within the Act and other international agreements shall be taken. This covers processing related to COVID-19. The Decision of the Civil Protection Headquarters of the Republic of Croatia (Decision) is the legal basis for processing referred to in the GDPR. This is because it is necessary to:
- Comply with the legal obligations of the controller
- Perform the task in the public interest
- Exercise of the official authority of the controller
There are exceptions to the general prohibition on the processing of specific categories of personal data. They include:
- Processing where it is necessary to enforce obligations and exercise special rights of the controllers in the field of labor, social security and social protection law
- The processing is necessary for reasons of significant public interest which:
- is proportionate to the desired objective and which respects the essence of the right to data protection
- ensures appropriate and specific measures to protect the fundamental rights and interests of respondents
- Processing is necessary for public interest purposes in the field of public health, such as:
- protection against serious cross-border threats to health
- ensuring high standards of quality and safety of healthcare and medicines and medical devices
- special measures for the protection of the rights and freedoms of the respondents, especially the protection of professional secrecy.
The Decision to inspect the EU COVID certificate or other appropriate evidence was deemed to be legal based on all the information above. It was determined that if an employer wants to store data on the duration of the employee certificates to facilitate or accelerate implementation of a special security measure of mandatory testing then they must:
- Find another legal basis under Article 6 (1) of the GDPR for the lawfulness of such processing; and
- Apply one of the exceptions processing of special categories of personal data referred to in Article 9 (2) of the GDPR
Employee consent in most cases is not an applicable legal basis for the lawfulness of processing in employment due to the imbalance of power. However the DPA considers that in this case, consent can be given voluntarily. This is because the employee has an alternative and is unlikely to suffer negative consequences if it refuses consent. To have a valid legal basis for storing employee data on the duration of the EU COVID certificate the following grounds may be used:
- The explicit consent of the employee
- Other relevant evidence
- An exception to the general ban on processing special categories of personal data
There are some important things that were highlighted in allowing this measures to go ahead. The data controller has the obligation to take appropriate measures to protect personal data. They must also define the process necessary for the verification or processing of personal data. It is important that the people authorized for certain processes are clearly defined. That the procedure of visual and digital verification of the EU COVID certificated is prescribed in detail. And that the procedure of processing personal data of persons who refuse to act in accordance with the Decision is clearly defined.
With regards to data storage it is understood that data on the durations of the EU COVID certificate or other relevant evidence must be deleted after the:
- Withdrawal of the explicit consent of the respondent
- Expiration of these certificates
- Termination of the Decision of the Civil Protection Headquarters
Navigating COVID-19 safety measures and staying GDPR compliant can seem daunting. Protecting you and your staff from both health concerns and privacy breaches don’t always pair up easily. Here at Value Privacy we can provide expert advice to make sure you can tackle both issues without any problems. We do the hard work for you so you can do what you do best. Contact us today.