Slovenia: Commissioner reiterates inadequate legal basis for operation of Coronavirus App
The Information Commissioner ('the Commissioner') issued, on 30 July 2020, a statement reiterating the inadequate legal basis for the operation of the mobile application ('the App') for informing people about contact with those infected of COVID-19 ('Coronavirus'). In particular, the Commissioner highlighted that the Data Protection Impact Assessment ('DPIA') carried out in respect of the data processing through the App does not remedy the serious deficiencies in the law and the risks arising from the ambiguities as to whether there is a clear and constitutional legal basis for the processing of personal data related to the operation of the App. In addition, the Commissioner emphasised that such a high risk cannot be mitigated by organisational measures alone, and noted that the mere fact that the use of contact tracing applications is voluntary does not mean that the processing of personal data will be based on consent, as is the case of public authorities providing a service by delegation, where the most relevant legal basis for processing would be that processing is necessary for the performance of a task in the public interest, as provided under Article 6(1)(e) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
You can read the statement, only available in Slovenian, here.