Under the plan to survey the containment measures associated with the COVID-19 pandemic, the Government approved new measures, among which a new teleworking and work organization regime.
Contrary to the exceptional measures adopted during the state of emergency, where teleworking was made mandatory, it ceases to be compulsory from June 1st, excluding some exceptional cases.
The new rules are as follows:
(i) Teleworking can be adopted in accordance with the Labor Code (e.g. by means of a written agreement between the parties);
(ii) Teleworking regime remains mandatory when, regardless of the employment relationship and whenever the functions in question allow it, the employee specifically requests it in the following cases:
a) If the employee is protected by the exceptional immunodeprived and chronically ill legal regime, provided that such situation is certified by a physician;
b) If the employee is disabled or has a degree of incapacity of 60% or more;
c) If the employee has a dependent child under the age of 12, or, regardless of age, with a disability or chronic illness, who attends an educational establishment or social equipment to support early childhood or disability, who remains closed by legal or administrative authority determination, considering that the measure only applies to one of the parents, regardless of the number of dependent children or dependents, outside periods of school breaks;
d) If there is an impossibility of physical spaces and work organization to comply with the guidelines of the Health State Agency (Direção Geral de Saúde) and the Labor State Agency (Autoridade para as Condições de Trabalho), to the strict extent necessary for their fulfilment (e.g. physical distance between employees).
Whenever teleworking is not adopted, specific work organization measures may be implemented:
a) The adoption of service schedules for employee rotation between the teleworking regime and the usual workplace, which may be daily or weekly; and
b) Adoption of differentiated entry and exit times, as well as breaks and meals.
The new measures may be applied only if the maximum limits for the normal working period and the right to daily and weekly rest provided for by law or applicable collective agreements are ensured.
The new working time arrangements may be applied by the employer under his power of direction, provided that the applicable legal procedure is respected.
The legal procedure determines that workers and their representative organizations must be consulted and given 7 days' notice (or 3 days in the case of a microenterprise) before the new work organization is implemented (article 217, Labor Code).
In a nutshell: teleworking can remain, under the general rules of the Labor Code, but is no longer compulsory, as it was during the state of emergency, at the peak of the Covid-19 pandemic.
The Portuguese 2020 Solar Auction Second Public Session was held yesterday with further information on the auction rules and specifications, and confirming the three methods of remuneration (fixed tariff, market scheme and market scheme with storage) announced in the first public session.
The map of the auction with the relevant substations was finally revealed. It comprises 12 lots with a wide capacity range, from 10 MVA to 109 MVA, in a total of 700 MVA, all located in the Alentejo and Algarve regions.
The auction rules, specifications and draft agreements to be executed by the winning bidder were also disclosed to promoters and are now available in the online platform https://leiloes-renovaveis.gov.pt/.
The current lack of grid capacity in the areas subject to this tender and the constrains related to the Covid-19 pandemic outbreak lead to the extension of the post-auction timetable schedule compared to last year’s auction. According to this new schedule, promoters have now 48 months (42 months if the project is not subject to environmental impact assessment) from the award of the grid capacity title to obtain the relevant operation license, instead of the 36 months (or 30 months) initially planned. Awarded projects are expected to reach COD in June 2024.
Promoters may submit their applications from 8 June to 31 July via the online platform, and the bidding phase shall take place by end of August.
Requests for clarification can be submitted by email to the address jurisolar@dgeg.gov.pt until 3 June at 1:00pm.
You can read more about the solar auction on our paper “The Portuguese 2020 First Solar Auction”, to be updated and complemented with the auction documents soon.
When the COVID-19 pandemic started, several European regulatory authorities took measures aimed at mitigating issues arising from the effects of social distancing and mandatory confinement. After the declaration of the state of emergency in Portugal, for example, we saw a sharp increase in data volume and a significant change in the profile of data transfers, a trend that stabilized during the current month (see data in respect with April and data in respect with May).
For a better understanding the EU regulators’ market intervention, we analyzed data gathered by Cullen International, comprising a sample of 20 countries, including Germany, Austria, Belgium, Croatia, Denmark, Spain, Finland, France, Greece, Ireland, Italy, Luxembourg, Norway, Poland, the Netherlands, Portugal, the Czech Republic, the United Kingdom, Romania and Switzerland. Intervention was grouped in five different areas: (i) data volume management, (ii) portability, (iii) spectrum, (iv) wholesale prices and (v) other.
Our first conclusion is that, in 40% of the counties (of Belgium, Croatia, Finland, Luxembourg, the Netherlands, and Switzerland), regulators intervened in only one area. In 30% of the sample, there was no intervention. In the remaining countries, Denmark intervened in two, Spain, France, Ireland and Italy intervened in three areas, and the Portuguese regulator worked in four areas.
Interestingly enough, it seems there is no correlation between the intensity of regulatory intervention and the impact of the pandemic in each jurisdiction, which leads to the conclusion that, apparently, different risk awareness lead to different predisposition to intervene.
Measures taken by regulators in telecommunications networks ranged from restrictions to streaming services and suspension of functionalities and/or services (if they required the presence of workers on site), to the suspension of the right of cancellation of contracts. At regulator-operators level, measures varied from the suspension of obligations and licensing procedures to the collection of fees. In addition to these, there have also been some cases of interventions in wholesale prices.
Public intervention in Portugal proved to be the most intense, and in addition to the suspension of administrative procedures (see here the situation of the auction 5G), it focused on data volume management, consumer protection and portability, either directly or indirectly through public awareness campaigns in order to avoid overloading the network infrastructure.
Contact tracing has been a priority for app developers over the past few weeks. Local teams, corporations and governments have put efforts into developing apps that trace proximity between smartphones users, which in this case are potential hubs for contagion. The utility of these apps is that once a member of a community is diagnosed with the virus, the chain of transmission may easily be traced back.
These apps pose questions on how data collected is treated (you can read more on this here) and how efficient the technologies used are. The technologies used by tracing apps range from Bluetooth to geolocation, to newer technologies such as DP-3T (Decentralized Privacy-Preserving Proximity Tracing).
All of these technologies have their perks and challenges. Tracing via Bluetooth, for example, will rely on the power of frequencies transmitted from each smartphone to determine proximity: the closer the smartphone is, the higher should be its signal. In theory, that is, because different models and manufacturers build mobile devices that will measure signal strength differently. The measurement is RSSI (Received Signal Strength Indicator). In case different smartphones receive different RSSI measurements, then the measuring accuracy is compromised.
Not only the measurement of signal strength is a weak link, but for measuring to occur, the Bluetooth-running apps must run permanently, which shortens smartphones’ battery life and will most likely be disabled by manufacturers and/or consumers.
Geolocation, also used by some of these apps, shares a certain level of inaccuracy with Bluetooth technology (BLE). As safe distances between people go, people should distance themselves from others at least two meters, but the most common geolocation technologies used are not accurate enough.
On one hand, GPS, which is the most accurate of all (able to determine location of up to five meters, which is still short), will only be able to track people outdoors, will be troubled by weather-related events and is very energy-consuming.
BLE geolocation, on the other, requires infrastructure for the emitting devices nearby to be precisely located by third parties which is an issue that is also shared by Wi-Fi. Network providers could use network triangulation to locate devices, but this technique lacks accuracy as the number of base stations for triangulation varies.
DP-3T, in its turn, is not different technology-wise. Rather, DP-3T is a response to privacy concerns as it is a decentralized alternative to manual tracing of citizens: it is a privacy-by-design type of tracing, rather than a whole different way of locating devices. DP-3T uses Bluetooth and it reverts the process: if a smartphone has stored a record of any of a diagnosed patient’s ephemeral identifier (EphID), then the app knows that the user has been in contact with an infected user.
CP's new collective agreements were published in the “Boletim do Trabalho e Emprego”. These agreements replace the previous ones signed around 20 years ago. There are two agreements, one for general professional categories, and the other for train drivers. The negotiation was directed by the Labor Law team of Macedo Vitorino & Associados.
The new agreements were concluded by CP and the trade unions representing all the professional categories: SMAQ, SFRCI, FECTRANS/SNTSF, ASSIFECO, SNAQ, ASCEF, SINFB, SINFA, SINAFE, SINDEFER, SNEET.
The general collective agreement was published in the Boletim do Trabalho e Emprego of May 9, and SMAQ collective agreement in the Boletim do Trabalho e Emprego of March 29.
In summary, the new collective agreements include:
(i) Increases of the base salaries (€15,00 for all employees);
(ii) Increase of the meal allowance to €7,60;
(iii) Increase of the seniority benefits to €24,00;
(iv) Increase of the stopover allowance to 18,5%;
(v) A driving bonus of €4.91/day paid for 13 months to all operational employees who meet the requirements defined in the respective clause;
(vi) The posting of a map of stopovers and shifts 15 days in advance, which can however be only 10 days in advance;
(vii) Supplementary allowance for medical insurance; and
(viii) Health insurance and pre-school allowance.
The signing of the new collective agreements is part of the principle of collective autonomy and the right to collective bargaining, enshrined among the rights, freedoms and guarantees of employees, specifically in no. 3 of article 56 of the Portuguese Constitution.
Collective bargaining, which includes the signing of Collective Agreements, allows for the adaptation of labor standards, organization of working time, as well as the regulation of a variety of labor issues that have no provision in labor law, ensuring the adaptability of labor legislation to those specified by companies.
In addition to the various measures that have been adopted in the context of the COVID-19 pandemic, new exceptional measures of a social nature have been published, with a view to broadening the protection granted by the laws in force.
The new law provides for:
(i) The extension of extraordinary support measures to members of statutory bodies of legal persons with managerial functions, provided that (1) they have employees at their service, (2) they are exclusively covered by the social security system in that capacity, (3) they operate in a single entity and (4) the entity in question had, in the previous year, a turnover of less than €80,000;
(ii) The extension of extraordinary support measures to self-employed employees not covered either because they have no contribution obligation or because they do not meet the other requirements for access to support;
(iii) The definition of a minimum limit of €219.40 for the supports referred to in (i) and (ii);
(iv) The reduction to 50% of the guarantee periods for cessation of unemployment benefit, with a reduction from 180 to 90 days of work with pay records in the 12 months immediately preceding the date of unemployment and from the current 120 days to 60 days for involuntary unemployment due to the expiry of the fixed-term contract or the termination of the contract at the initiative of the employer during the probation period;
(v) The elimination of excessive bureaucracy in the procedure of allocation of the social income of insertion, no longer being dependent on the signing of an insertion contract;
(vi) The creation of an additional support, in the amount of €219.40, for employees with green receipts, namely for those who in the last 12 months have not made contributions, for Social Security, because they are excluded.
The purpose of extending this support is therefore to cover a greater number of employers and employees who were unprotected until now, which is why, on the one hand, access to unemployment benefit has been made easier and, on the other, managers of small businesses can have their pay financed by the government during the first months of the crisis.
In the current context of the Covid-19 pandemic, companies are now questioning what measures may be implemented to prevent the spread of the virus among their employees with a view to a progressive return to their business activity, including whether it is lawful to collect health data from their employees, namely their body temperature.
The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD) has come forward with guidelines on the collection of employees' health data. CNPD considers that the employer may not collect and record the body temperature of employees, except when using health professionals in the field of occupational medicine and upon prior written justification.
Under the General Data Protection Regulation (GDPR), body temperature falls into one of the special categories of data – health data – subject to enhanced legal protection. GDPR prohibits employers from collecting or recording employees' health data except for the purposes of labor law. The Portuguese Labor Code provides that employers may not demand health data from employees, except when specific requirements related to the nature of the activity so justify and the relevant reasons are provided in writing by the employer. Health data must be provided to a medical professional, who may only inform the employer if the employee is able to perform his/her job.
Based on a literal interpretation of the Portuguese Labor Code, CNPD understands that the legislator has not assigned to the employer a role that is exclusive to health authorities, nor have they assigned such role to employers, which is true. However, it is also true that this rule was not drafted to be applied in exceptional situations, but in a so-called "normal" context of the employment relationship. Consequently, the application of this rule is debatable in the current pandemic scenario.
On this matter, the Portuguese Ministry of Labor has already noted that taking employees' body temperature in the workplace may be feasible in certain circumstances. The Portuguese Government should soon clarify this matter by means of a solution that should present itself proportional to the current pandemic situation, and considering that employers have a duty of care, including the duty to ensure the safety of their employees it the workplace.
GDPR (as a regulation, GDPR must be immediately applied, unlike a directive, that must be implemented by each member state into the national law) provides that the processing of health data is lawful, through a health professional (subject to professional secrecy), if processing is necessary for reasons of public interest in the area of public health, including for monitoring epidemics and their spread, which is certainly the case. This is the lawful basis on which employers will be entitled to take employees' body temperatures (obviously, within certain constraints).
In short, very exceptional situations do demand very exceptional measures.
In times where the need for digital literacy and universal access is more apparent than ever, individuals, companies and the public administration will be pillars of the new Action Plan for Digital Transition (the “Action Plan”) just published by the Portuguese government, as part of a medium term digital strategy for Portugal to be implemented from 2020 to 2023.
Individuals’ digital inclusion is a keystone of the Action Plan, given that one quarter of the Portuguese population has never used the internet, which is significantly above the European average (this is having a negative impact on the student availability for online schooling during the Covid-19 crisis). The new Upskill program will requalify professionals in information and technology-related areas and is expected to allocate a number of requalified persons in companies in need of man work.
The Action Plan also aims to provide intensive training to three thousand participants over six months, in order to respond to the scarcity of IT human resources. The plan should bring at least one million adults into the digital economy, and it is also providing low fare tariffs for internet services. Interesting to see how its implementation will be affected by the ongoing Covid-19 lockdown measures.
As regards companies, territory-specific regulatory sandboxes are expected to be created in a number of Portuguese regions in order to promote research and development and testing of innovative products and solutions. Both +CO3SO Digital, a programme to bring digital entrepreneurship to less populated regions, and E-Residency, an Estonian-inspired virtual citizenship project, will target an international and digitally-inclusive outlook for the Portuguese economy.
Startup Visa, Tech Visa, Sign Up for Portugal and Startup Hub are examples of other company-oriented projects and programmes, specifically targeting the creation of a proper entrepreneurial ecosystem. Portugal is set to invest in the digital transition of businesses.
Public administration will be subject to transformative measures in the most used services by citizens, including the use of cloud computing, digital public services, digitally-enabled schools and internationally accessible public services.
To some extent, we can say that this Action Plan is mostly a repackaging or an extension of existing incentive plans, such as +C03SO, or Startup Visa, focusing on digital transition. It comes along with the 5G auction, set to occur in 2020 (you can read more about the 5G Auction here), to the support the digital transition of Portuguese economy to the digital era.
The General Data Protection Regulation (GDPR), which is applicable since 25 May 2018, governs the processing of personal data throughout the European Union (EU). GDPR aims at ensuring a consistent and high level of data protection within the EU without jeopardising the free flow of data within the EU.
The GDPR has replaced Directive 95/46/EC of 24 October 1995 in force since 1995, and it superseded national data protection laws, including Law 67/98, of 26 October 1998. Along with the GDPR, Law 58/2018, of 8 August 2019, which implements some local specifics, is also in force in Portugal (GDPR Local Law).
Public and private entities are taking exceptional measures to prevent and mitigate COVID-19 across the EU, including in Portugal, where it was decreed a situation of state of emergency on 19 March 2020 and extended, at least, until 2 May 2020.
In this context, the Portuguese Data Protection Authority (DPA) has issued four papers:
(a) Resolution number 2020/170 of 16 March 2020, whereby all formal regulatory actions in connection with outstanding information request backlogs are suspended; and
(b) Three guidelines:
(i) Guidelines of 2 April 2020 on the use of video surveillance systems and alarms in the COVID-19 context, where the DPA stresses that private security companies are prohibited from carrying out activities falling into the scope of the exclusive powers of judicial or police authorities, including border control and the prevention and repression of crimes in public places;
(ii) Guidelines of 9 April 2020 on the use of distance learning technologies considering that Portuguese students are taking e-learning classes from their homes; and
(iii) Guidelines of 17 April 2020 on remote control means of employees under a distance work regime issued in response to several questions on the use of software for control of employees’ performance in teleworking, and the imposition on employees of a permanent connection to the video camera. The DPA clarifies that the use of such software tools is disproportionate and infringes data protection principles, and that labour rules prohibiting distance control means of employees’ activity remain applicable.
Apart from these four initiatives, no additional information is available in connection with data protection and COVID-19. Inversely, other EU data supervisory authorities, for instance, in the UK and Germany, have disclosed a set of materials and FAQs at their websites to respond to data protection questions arising from the current situation.
The current situation may involve the processing of different types of personal data, including special categories of personal data, such as health data, namely within an employment context. In a COVID-19 scenario (not only at the current stage of spreading, but also at subsequent stagnation and mitigation stages), the processing of personal data may be necessary for compliance with employers’ statutory obligations, e.g. obligations relating to health and safety at the workplace, or to the public interest, e.g. the control of diseases and other threats to health.
Bearing in mind that several questions may arise within an employment context (but not limited to), we have prepared a list of FAQs to help organizations to be able to respond to such new challenges.
1. May employers collect personal data of employees to prevent the spreading of the COVID-19 virus at the workplace? In affirmative case, what personal data is the employer allowed to process in this context?
Yes, employers may collect personal data of employees in order to prevent the spreading of the virus at the workplace to the extent that it is required to fulfil employers’ statutory duties (e.g. duty of care) and to organise the work in line with the Portuguese legislation, namely Portuguese labour rules.
The criteria should be whether the processing is necessary for a given purpose (e.g. processing that is necessary for the protection of the health of employees and for compliance with statutory reporting obligations), and the implementation of the GDPR’s principle of data minimization.
In principle, the collection of the following data will not raise major issues: name, current contact information, contacts with other persons within the organization, previous or intended stay in a high risk area, previous contacts with allegedly infected persons or whether a person is symptom-free.
Inversely, health data, which is considered a special category of data, is subject to restrictions and that require an adequate interrelation between the GDPR, the GDPR Local Law and the Portuguese labour rules, as detailed below.
2. In these circumstances, what requirements must employers comply when they carry out processing of employees’ personal data?
Employers may collect and process personal data of employees, including health information, to determine whether (i) they are infected or have been in contact with an infected person, or (ii) they were in a high-risk area during the relevant period.
Employers should inform employees about COVID-19 cases and take protective measures, but they must not disclose more information than it is required.
Employers must keep employees informed about cases in their organisation, but they must not name individuals. The disclosure of personal data of infected persons (confirmed and suspected) to inform colleagues or externals is only lawful on condition that it is strictly necessary under exceptional circumstances to know the identity of that person, in order to mitigate the spread of the COVID-19 and allow employees to take relevant safeguards. In these very exceptional cases (where it is necessary to reveal the name of the employees who contracted the virus, e.g. in a preventive context), the concerned employees shall be informed in advance and their dignity and integrity shall be protected.
3. What is the relevant lawful basis for such data processing by employers?
As regards employees, the relevant lawful basis is the GDPR’s legitimate interests (Article 6/1(f) GDPR).
Where health data is processed, the relevant legal basis should be the GDPR’s employment and social protection legal basis, i.e., processing that is necessary for the purpose of carrying out the obligations and exercising specific rights of the employer or of the employees in the field of employment and social security and social protection law (Article 9/2(b) GDPR).
As regards local law, namely the labour law and the GDPR Local Law, we should stress the following rules:
(a) Article 28/1 of the GDPR Local Law states that the employer may process employees’ personal data for the purposes and within the limits set out in the Portuguese Labour Code;
(b) Article 17/1 (b) of the Portuguese Labour Code states that the employer may not ask for the employee to disclose health data, save as when exceptional circumstances related to the professional activity may justify such disclosure and relevant grounds are provided in writing by the employer. Health data are provided to a medical doctor, who may only inform the employer on whether the employee is or not able to performance their job functions; and
(c) Article 29/2 of the GDPR Local Law states that special categories of data, namely health data, may be processed for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, and that suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, must be adopted.
This means that the employer’s legitimate interests’ legal basis and, for health data, the employment and social protection legal basis, result from the general duty of care of the employer toward their employees. Health date must be processed by the employer, through a medical doctor subject to professional secrecy, which means that health data may not, in principle, be disclosed to other employees, unless in exceptional circumstances and insofar it reveals necessary to avoid the spreading of the COVID-19 at the workplace.
Under the duty of care, the employer must ensure the protection of the health of all employees. This also includes carrying out an appropriate response to the dissemination of the COVID-19, for prevention and traceability purposes (i.e., subsequent prevention toward contact persons).
It should be also noted that the GDPR includes derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the public health area (Article 9/2(i) GDPR), on the basis of EU or local law, or where there is the need to protect the vital interests of the individuals (Article 9/2(c) GDPR). As recital 46 GDPR states some types of processing may serve both important grounds of public interest and the vital interests of the individuals as for instance when data processing is necessary for monitoring epidemics and their spread.
In turn, employees’ consent cannot be considered as a lawful basis, as, in an employment relationship, there is a clear imbalance between employees (data subjects) and the employer (controller). It is unlikely that employees’ consent is freely given in the context of an employment relationship.
4. May employers process personal data of workplace visitors for COVID-19 related purposes?
Yes, employers may process personal data of workplace visitors for COVID-19 related purposes to determine whether (i) they are infected or have been in contact with an infected person, or (ii) they were in a high-risk area during the relevant period, and to the extent that the measures to be adopted are proportionate.
As regards visitors, measures against third parties that require the processing of health data can be justified based on the GDPR’s lawful basis regarding processing that is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (Article 9/2(i) GDPR).
The consent of visitors (data subjects) can only be considered as a lawful basis for COVID-19 measures if they comply with all consent requirements, including if visitors are informed about the data processing and can provide consent about the measures voluntarily. This means that visitors should be aware at least of the identity of the data controller (the organization) and the purposes of the processing for which the personal data are intended in the context of COVID-19.
5. Are private mobile phone numbers and email addresses of employees allowed to be collected?
During the pandemic, employees may work from home more frequently than usual and they can use their own device or communications equipment. The collection of private mobile phone numbers and email addresses of employees may be necessary and hence lawful if they are to be used to ensure their "ongoing availability" during the current COVID-19 crisis, namely if employees are working through a distance work regime.
It may be also necessary if, for instance, an overload of the organization's IT infrastructure makes it necessary to communicate within the employer and/or other employees. In this case, care must be taken to ensure that no sensitive data is disclosed by means of "unsafe" communication means, namely email services, where there is a risk of unauthorized access to data by third parties.
Employers and employees need to consider the same kinds of security measures for homeworking that they use in normal circumstances, for instance, hardware and software encryption, a two/three-level password authentication system, keeping access log files. The data may only be used for the intended purpose and must be deleted immediately after the processing purpose has ceased to apply.
6. May employers use technological solutions for remote control of their employees’ performance through a distance work regime? May videoconference calls between employees or between the employer and employees be recorded?
According to recent guidelines issued by the DPA, the general rule prohibiting the use of means of remote surveillance to monitor employees’ performance is fully applicable in a distance work context. The same conclusion would always be reached by applying the principles of proportionality and minimization of personal data, since the use of such means implies an unnecessary and excessive restriction of employees’ private life.
For this reason, technological solutions for remote control of the employee's performance are not allowed. Examples of this are software that, in addition to tracking working time and inactivity, records the Internet pages visited, the location of the terminal in real time, the uses of peripheral devices (mousse and keyboards), capture images of the working environment, observe and record when the access to an application is initiated, control the document in which the employee is working and record the respective time spent on each task (e.g., TimeDoctor, Hubstaff, Timing, Manic Time, TimeCamp, Toggl, Harvest ). This type of tools manifestly collects excessive personal data from employees, promoting the work control at a higher level than that which can legitimately be carried out at the employer’s premises. The fact that the work is being carried out from home does not justify a further restriction towards employees. To that extent, the collection and subsequent processing of such data violates the principle of minimisation of personal data.
Similarly, it is not allowed to require the employee to keep the video camera on a permanent basis, nor, it is, in principle, allowed to record videoconferences between the employer and employees.
Despite the prohibition of the use of such tools, the employer keeps the power to control the activity of the employee, which it may do, namely, by setting objectives, creating reporting obligations as often as it deems necessary, scheduling meetings by videoconference.
7. May employees’ files be processed in an employee’s home office (e.g. in the home office of the Human Resources staff)?
The processing of employees’ files in an employee’s home office can only take place in exceptional circumstances if it is strictly necessary and to the extent that technical and organizational measures are taken to protect personal data, including, for instance, hardware and software encryption, a two/three-level password authentication system, keeping access log files, not printing in the home office.
If you need any further clarifications or assistance in any questions on data protection matters, please do not hesitate to contact us.
The European Commission has recently issued guidelines for the development of contact tracing and warning applications in the fight against COVID-19, which can have a significant impact in the control of the disease and play an important role as part of containment measures.
Contents. These applications may include: (i) accurate information about the COVID-19 pandemic for users; (ii) self-diagnostic questionnaires and guidance for users (symptom control feature); (iii) alert notification to persons who have been in close contact with an infected person for testing or be isolated (contact tracing and warning features); and/or (iv) a communication forum between patients and physicians, including providing further diagnosis and treatment advice (e-treatment advice).
Applicable regulations and supervision. Given the extremely sensitive nature of the data (in particular health data) and the purpose of the applications, they must comply with the General Data Protection Regulation (GDPR) and the Electronic Privacy Directive. They must also be implemented in close coordination with and under the supervision of the relevant public health authorities and national data protection authorities.
User control and consent. Users must keep full control over personal data and hence they must give their prior consent (complying with GDPR requirements) and separately for each application’s features.
In case of use of location data, this data must be stored on the user's device and only be shared with their prior consent; users must be able to exercise their rights under the GDPR and, among others, they have to be entitled to, at any time, withdraw their consent.
Principle of data minimization and data accuracy. Applications must comply with the principle of data minimization and it may be only processed personal data required for the purpose at stake. For example, for the purpose of tracing contacts, the European Commission considers that the processing of location data is not necessary and thus it does not advise its use.
EU rules require that processed personal data are accurate. Therefore, the Commission considers that technologies such as Bluetooth should be used to more accurately assess contact between different users. The data must be stored on the user's device and encrypted and must only be kept for the necessary period, in medical terms, and for the duration of the containment measures.
For the success of these applications, the confidence of citizens and those who feel safe with their use is essential, which must be ensured under strict compliance with EU rules on personal data protection.