On the 26th of April 2021, with decision n. 418, the Government has approved in advance the extraordinary measure that the Health Ministry intend to issue on the 3rd of May 2021 [1] and at the point 14, letter e) to order to operators like barbers, hairdressers, pedicures, manicures, cosmetics, massages and similar regeneration or reconditioning services to keep the documentation of clients for eventual epidemiological investigation. To a great number of operators, that until now have not processed any data on their clients or have not a lot of experience for keeping similar registration or create technical conditions, imposes a new obligation to process personal data.
The obligation to process personal data is imposed without a sufficient explanation.
In the specific case, refers to purposes of the processing, data portability, the storage retention period, the technical and organizational security, moods of compliance of the principle of transparency and obligation to provide information to data subjects, to this is connected the need to determine the way of performing of eventual inspections by the public health protection authority in the framework of an epidemiological investigation.
Is not so clear if registrations shall be stored into the field of data which generally permits the identification of a natural personal (name, surname, date of birth, address or physical residence, phone number) or another way, for example if the state administration uses the birth number in accordance with the relevant provision of the Law on the Registration of Population and Birth Numbers. The definition with the words “for the needs of a possible epidemiological investigation” is not specific enough, as it does not say anything about the required processing parameters.
In addition, it is not clear if the record shall include key information on the result of the test or another certificate which is legally preview by the current health status of the client, or if those information will be determined by inspection from the public health authorities. And it is also important to reply to the question if these can be carried out during epidemiological investigations or also out of them.
If a health information shall be stored into registers, we shall keep in mind that, according to the General Regulation, this is the so-called special categories of personal data, in which the protection asks for a particular attention. [2]. This is particularly true when those data shall be processed by a great number of people that provide services to their clients (data subjects). According to the General Regulation, the processing on large scale of a special category of data is subjected to an impact assessment of personal data protection pursuant to article 35 of this Regulation (according to the methodology of impact assessment of personal data protection for legislation projects).
Consequently, obligation of advices of the applicant pursuant to article 36 of the Regulation were not implemented in case of projects, which include, for example, statutes and eventual provisions adopted by the public administration based on legislation disposals.
The submitter shall always assess the current state and impact of the proposed solution compared to privacy protection and personal data, which is a thing that in this case, to the extended acknowledge of the Office, was not carried out. The assessment of the adequacy of the interference of rights ids a requirement of a current sentence of the dossier of the Administrative High Court n. 8 Ao 1/2021-133 of the 14th of April 2021.
A definition of the condition of clients registers kept which have completed the required action with a service providers asks for the simultaneously provision of a series of details in order that service’s providers known how to be in compliance and respect their clients in protecting their privacy and their personal data. The European Data Protection Board [3] has always underlined in its opinion that any actions taken by member States or by European institutions which affect the personal data processing in the fight against COVID-19 shall follow the General Regulation.
Law n. 94/2021 Coll. On emergency measures in case of COVID-19 epidemic in article 2, letter c) authorizes the Health Ministry to issue an urgent measure in order to limit the activity of barber, hairdresser, pedicure, manicure or solarium, the provision of cosmetic services, massages, regeneration or reconditioning or the exercise of a profession in which skin integrity is violated or to establish the conditions for their operation or supply. Anyway, it has not the right to impose to operator the obligation to store client’s registers and so to process personal data. In addition, it does not include details of the processing of new records [4].
If an obligation shall be imposed by a legislation, this act shall also have a direct connection with the original legislation and with the limits inside it. Even if the estate of accessories acts can not be excluded generally based on a legislation (issued intra legem), it shall being complied the conditions defined into the sentence of the Administrative High Court dossier n. 8 Ao1/2021-133 of the 14th of April 2021 [paragraph 119].
In addition, the Office detects differences in the extraordinary measure proposed which, compared to the mentioned sentence, create a different situation and increase the emphasis on requirements of the legal basis. Meanwhile in case of tests on employees by the employers, it is about a existence relationship in which the employer processes a series of data on employee by default, the proposed measures is a quality which is completely new compared to the legal obligation, because personal data of clients are not being processes in this measure, if the processing of personal data took place. Because personal data can not be processed without a legal basis, it will be necessary to consider if the obligation to identify clients can be arise by the legislation.
The office considers no admissible the recent obligation imposed to operators to store registers of clients for the eventuality of a epidemiological investigation without determine the specific purpose and other parameters of the processing and comply all the personal data protection principles in compliance with the General Data Protection Regulation.
Talking about the idea that the emergency measure required shall include a condition for the entrance of people in specific inner areas or for the participation to group manifestation, pursuant to the point 20, letter a), and c) under the presentation of “a certificate [of] the Health Ministry of the Czech Republic on vaccination against COVID-19”, the Office make a reference to its declaration on the so called vaccination passports of the 9th of April 2021, due to the impossibility with legal fact according to the point 20 on legal consequences. In view of the purpose of this advantage, a more detailed argument and a proportionality test are required.
We can also make a reference with the note of the General Secretary of the European Council, in which is affirmed that the usage of vaccination certification for medical purposes is not new, neither the obligation to bring those certificates on a street due to the epidemic diffusion. The same realizes for documents that confirm that a person has been immunized or resulted negative to a COVID-19 test. From the other and, the possibility to use vaccination certifications and immunization data for no medical purposes, like the exclusive access of persons to rights, services and public places, arise a lot of questions on the human rights.
At the end, it is necessary to assess if the emergency measure proposed is not in contrast with the sentence of the Administrative High Court of the 22nd of April 2021, ref. 6 Ao 11/2021-48, because it does not stand out prohibitions and restrictions from one hand and working conditions from the other. Because the government has not published an explicative relationship of the urgent measure, it is necessary to present an appeal for the effective justification of each measure.
In this phase, the mentioned disposal of the emergency measure can not be additional assessed.
III.
Compared to previous extraordinary measures which ordinates the revision of employees, the Office has left its declaration, on the 26th March 2021, in which it was underlined the responsibility of relevant bodies of the central administration of the State (Health Ministry), resp. health insurance companies, in order to determine in relation to the requested processing of personal data the exact scope of the personal data requested, to determine in a different way the processing parameters of such data (in particular the retention period), in the context of the defensible purpose of such processing. Through the declaration submitted, the Office seeks to prevent a similar situation and to assist the competent authorities in the proper fulfilment of legal obligations in the field of personal data protection.
[1] according to the website of the Government’s Office, this extraordinary measure was valid since the 26th of April 2021.
[2] article 9, paragraph 1, of the General Regulation requires that processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
[3] the European Data Protection Board is an independent European body which contributes to the uniform application of personal data legislation all over the European Union and promote the cooperation among personal data protection authorities in the European Union. The European Data Protection Board is composed by representants of the national supervisory authorities and by the European Data Protection Supervisor.
[4] In contrast with the imposition of the obligation to test employees and other workers for the presence of the COVID-19, which implies the need to process personal data for this purpose and into the necessary measure
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI REPUBBLICA CECA