Support Centre

Slovenia: Commissioner issues statement on contact tracing app bill

The Information Commissioner ('the Commissioner') issued, on 26 June 2020, a statement on a bill ('the Bill') aimed at establishing and ensuring the operation of a mobile application ('the App') for informing people about contacts with those infected with COVID-19 ('Coronavirus'). In particular, the Commissioner highlighted that the App is designed to anonymously record the personal data of users, which raised concerns of data collection practices and the protection of sensitive personal data.

In addition, the Commissioner outlines privacy considerations relating to the use of contact tracing apps, including the fact that appropriate measures should be introduced to prevent re-identification of users, the information collected should be stored on the user's terminal equipment, and that only relevant information should be collected when necessary. Moreover, the Commissioner noted that a Data Protection Impact Assessment ('DPIA') should be carried out before the introduction of the App, as processing is considered to impose a high risk on data subjects due to the processing of health data on a large scale, systematic monitoring, and use of new technological solutions.

You can read the press release, only available in Slovenian, here.

UPDATE (29 June 2020)  

Commissioner issues statement calling for voluntary nature of App and a defined legal basis  

The Commissioner issued, on 29 June 2020, a statement emphasising that only voluntary installation of the App can be acceptable, and that new legal bases requiring the mandatory use of the App must respect fundamental standards of protection of the rights of individuals, in that they must be legal and constitutional, limited in time, necessary, and proportionate to the objective pursued. In particular, the Commissioner noted that proportionality and necessity are extremely difficult to justify in the case of a mandatory application, and highlighted that legislation should carefully consider these notions, and clearly define the individuals who will have access to contact data, the potential data controllers, and the role of the competent ministries.    

You can read the press release, only available in Slovenian, here

UPDATE (1 July 2020)   

Commissioner receives proposal of Bill and expresses concerns on provisions   

The Commissioner announced, on 30 June 2020, that it had received the proposal of the Bill on Intervention Measures for Preparation for the Second Wave COVID-19 ('the Bill'). In particular, the Commissioner highlighted that the requirement for infected individuals to pay a fine of €200-600, if they breach the obligation on mandatory use of the app, is disproportionate to their rights. In addition, the Commissioner emphasised that the Bill should clearly identify the data controllers and assign duties for competent authorities as well as clarify what data can be processed, for what purpose, and what the retention periods are, among others.  

Moreover, the Commissioner expressed concerns on the new provision which allows competent authorities to obtain information on the location of individuals through an electronic communications operator, and which establishes a basis for obtaining and using such data, that is when individuals are temporarily confined due to quarantine. Lastly, the Commissioner noted that law enforcement authorities can obtain an individual's location from an electronic communications operator under strict conditions, which can include a court order.   

You can read the press release here and the Bill here, both only available in Slovenian. 

UPDATE (2 JULY 2020)

Commissioner forwards opinion on Bill to National Assembly  

The Commissioner announced, on 2 July 2020, that it had forwarded an opinion ('the Opinion') to the National Assembly in regard to the Bill, requesting the disapproval of the provisions relating to the mandatory use of the App and the processing of users' location data. In addition, the Commissioner outlined good practices relating to the implementation of the App, including the publication of the Data Protection Impact Assessment ('DPIA'). 

You can read the press release here and the Opinion here.