Can a region allow the entrance into the territory only provided that the data subject installs and uses an application? Can the lack of installation of the “immuni” application have consequences for the data subject? What is the legal basis of the other applications, different from those of telemedicine, used to fight Covid-19?
This and other questions are answered from the FAQs published to the Italian Data Protection Authority (Garante) about the problems related to the realization of the national contact tracking application, as well as other applications by public subjects or sanitary structures.
The FAQs, available today on the Authority’s website www.garanteprivacy.it include general indications, also inspired by the responses provided to complaints, notices, complaints received from the Authority during this emergency period.
With regard to regional applications, the Authority has clarified that persons cannot be forced to unload them and that the lack of installation cannot imply any detrimental consequences for the interested parties or condition access to areas or areas.
With specific reference to the national application of contact tracing (Immuni application), it has been authorised from the Authority, it has stated that from its installation no prejuicievole consequences (such as limitations on the consumption of goods and services) can arise from its installation.
Health structures that attempt to use telemedicine instruments (application of telediagnosis, teleassistance and remote control used for medical personnel) to carry out diagnosis or therapies at a distance, do not have to claim consent to the processing of the personal data of the data subject.
For the use of different applications from telemedicine (such as dissemination applications or applications for the collection of information on the health status of the population in a territory), it is necessary the consent of the data subject, who has to be adequately informed about the use that will be made of his data.
The Authority has also stressed that applications have to process only data that are strictly necessary to pursue the purposes of processing, avoiding the collection of surplus data (e.g. those relating to the location of the mobile device of the data subject) and merely asking for permission for access to functionality or existing information only if indispensable.
Public administrations, regions, health structures will have to assess the risks that could result from a possible transfer of data to third parties (e.g. through social login, push notifications, and more) on all if established outside the European Union.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP