We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
14 August 2020
On 7 July 2020 the Data Protection Authority updated its FAQs regarding personal data processing in the face of the COVID-19 emergency, providing some important clarifications on contact tracing and medical data processing based on mobile app technology more generally.
'Contact tracing' is a strategy for the prevention of new contagions which involves:
As is evident, the implementation of this strategy implies and requires a major data processing operation relating to particularly sensitive personal information: in addition to identifying the personal data and location of people traced, a contact tracing system operates by processing health information.
Therefore, in order to undertake this type of data processing in compliance with the EU General Data Protection Regulation (2016/679) (GDPR), the contact tracing app must meet the requirements of Article 9 of the GDPR, which refers to the "processing of special categories of personal data" (eg, health data).
On the basis of Article 9 of the GDPR (strengthening in this sense the provisions referred to in Paragraphs 2(i) and 2(j) about the legitimacy of processing health-related data)(1) the legislature has adopted the following provisions through Legislative Decree 28/2020 (enacted, as amended, by Law 70 of 25 June 2020) and provided for the creation of a special contact tracing app (called Immuni) suitable for installing on various mobile devices.
The new FAQs underline that Immuni is the only contact tracing tool presently authorised and may be installed on a voluntary basis only, meaning that people who decide not to make use of it will face no prejudicial consequences (other than not receiving an automatic warning if there is a contact risk).(2)
If Italy's regions consider developing their own contact tracing apps for travel within their territories, they will need to ensure that their use is voluntary and have no prejudicial aspects. The Data Protection Authority has reiterated that any regional law which requires the use of a contact tracing app to enter a region would potentially violate the Constitution and data protection protections. The right to freedom of movement is a fundamental right granted by the Constitution and may be contravened only by law for health or security reasons (Article 16 of the Constitution).
The COVID-19 health emergency has also affected the management of relationships between patients and health personnel in respect of medical examinations to be carried out and social distancing to be ensured within health facilities.
To solve these problems, various health facilities have considered using telemedicine tools (mobile apps for tele-diagnosis, teleconsultation, tele-assistance and telemonitoring used by medical staff). In the new FAQs, the Data Protection Authority has clarified that when these tools are used to carry out remote diagnoses or therapies, specific and further consent from the person concerned is unnecessary, since this is a different way of maintaining a regular doctor-patient relationship (see in particular Article 9(2)(h) and Paragraph 3 of the GDPR). However, before proceeding with such processing (precisely in consideration of the quality and quantity of the data involved), healthcare facilities will first do a data protection impact assessment (Article 35 of the GDPR) and will subsequently inform patients of the data processing which will be carried out through the aforementioned application, pursuant to Article 13 of the GDPR.
Since the national health service must guarantee healthcare to those who cannot install telemedicine apps, their use cannot be made obligatory.
Conversely, other applications in the medical field other than telemedicine (eg, mobile apps for the collection of information on the state of health of populations in a given territory) which also involve personal data processing may be used only with people's consent.(3)
Some companies, especially larger ones, have enquired about using contact tracing tools for employees only in order to verify the spread of the virus at a company level. However, the Data Protection Authority's position in this regard is strict: for now, the possibility of using any such system – and consequently to process the relevant personal data in accordance with the law – is exclusively provided by Legislative Decree 28/2020 (ie, the Immuni app).
Conversely, in the FAQs, the Data Protection Authority reiterated the possibility of using contagion risk reduction systems that require no personal data collection for their operation. For example, it is possible to install turnstiles that limit access to a plant or conference room to a greater number of people than the maximum allowed to guarantee social distancing, or other barriers to entry equipped with optical detectors which do not allow access to certain places without adequate personal protection equipment (eg, masks).
Such tools are undoubtedly legitimate and involve no GDPR compliance issues, since they do not process data referring to identified or identifiable subjects; however, it is understood that it will be up to data controllers to verify the extent to which the chosen systems are reliable, also taking countermeasures in case of malfunctioning or false positives.
For further information on this topic please contact Luca Daffra at Ichino Brugnatelli e Associati by telephone (+39 (0)2 48193249) or email (email@example.com). The Ichino Brugnatelli e Associati website can be accessed at www.ichinobrugnatelli.it.
processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices… [and for] archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.