Czech Republic: UOOU publishes statement on the project Smart Quarantine
The Office for Personal Data Protection ('UOOU') published, on 2 April 2020, a statement on the emergency measure of the Ministry of Health ('the Ministry') ordering mobile communication network operators and banks to trace the movement and behaviour of individuals infected with COVID-19 ('Coronavirus') by processing the time and location data of the use of electronic means of payment, in connection with the project Smart Quarantine. In particular, the UOOU highlighted that the processing of personal data for the of purpose of combating a pandemic or preventing the deterioration of a pandemic must be adequate, effective, and limited in time.
In addition, the UOOU noted that the legal obligation for data processing by private data controllers, such as banks, should be for the fulfilment of a task performed in the public interest, as provided under Article 6(1)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, the UOOU outlined that it is up to each controller or bank to define and concretely perform the required processing of behavioural data defined in the application of the Ministry or the Regional Hygiene Station. Furthermore, the UOOU highlighted that an emergency measure provides for the retention of personal data only for as long as it is necessary and, in the case of non-anonymised data, not more than six hours.
You can read the press release, only available in Czech, here.
UPDATE (14 April 2020)
UOOU issues statement on requested information in relation to the project Smart Quarantine
The UOOU issued, on 11 April 2020, a statement ('the Statement') regarding the information requested from the Ministry in relation to the project Smart Quarantine. In particular, the Statement noted that the Ministry had published in its website accurate information on the legal aspects of processing, including the relevant provisions of legal regulations that will be applicable to processing activities. However, the Statement explains that the Ministry, which is the controller responsible for the entire processing of personal data for this project, still needs to submit the documents requested by letter on 31 March, which will clarify how personal data will be used. Until then, the Statement highlights that UOOU cannot comment professionally on the measures taken so far, on the adequacy of privacy safeguards, on the risk of processing operations, and on data protection within an online environment.
You can read the Statement, only available in Czech, here.