Tech & Rights

​Decisions and Recommendations of Data Protection Authorities in Europe

Knowledge Hub: COVID-19 Contact Tracing Apps in the EU

by LibertiesEU
Country Reports | Data Protection Authorities | Policy Bodies | Courts | Legal Acts

Last updated 15 March 2021

Belgium | Germany | Italy | Lithuania | Poland | Slovenia | Spain | European Data Protection Board (EDPB) | European Data Protection Supervisor (EDPS)

Belgium: Autorité de protection des données (APD)

APD opinion (n° 79) on Cooperation Agreement, replacing Royal Decree No. 44 concerning the centralized database and manual and digital contact tracing (7 September 2020)

Name of applicant: Minister of Social Affairs and Public Health, and Asylum and Migration, Maggie De Block

Summary: The APD comments on the Cooperation Agreement of 25 June 2020. It provides recommendations and asks for clarification on the law regarding manual and digital contact tracing, e.g. provide that the app's security audit will be carried out by an independent third party. Read more


APD opinion (n° 64) on Cooperation Agreement, replacing Royal Decree No. 44 concerning the centralized database and manual and digital contact tracing (20 July 2020)

Name of applicant: Secretary of State for Social Fraud, Privacy and the North Sea, Philippe De Backer

Summary: The APD notes that the Cooperation Agreement is very similar to Royal Decree No. 44 (for which it was not consulted). Regarding the contact tracing part, the APD welcomes the fact that the regulators have adopted some of its recommendations made in its previous opinions (no° 34 and no° 43). It notes, however, that some of its recommendations, which aim to ensure the proportionality of the interference with the right to respect for private life, were not included in the draft. Read more


APD opinion (n° 44) on amendments made to Royal Decree of Special Powers No. 18 (5 June 2020)

Name of applicant: President of the House of Representatives, Patrick Dewael

Summary: The APD notes that some of the proposed amendments to the Royal Decree of Special Powers No.18 were improving the bill. However, it highlights issues, such as a lack of justification for collecting massive amounts of sensitive data on a central database or that GPs are forced to breach medical confidentiality when they communicate their patients’ data. It also criticizes the provision allowing call center agents to carry out home visits, calling it a “disproportionate intrusion”. Read more


APD opinion (n° 43) on preliminary draft royal decree for the use of a contact tracing app (26 May 2020)

Name of applicant: President of the House of Representatives, Patrick Dewael

Summary: The APD welcomes the amendments made to the related royal decree but says that efforts must still be made to ensure that the implementation of the app is in line with GDPR. It asks that the draft law be amended. Its recommendations include that the source code be published, that the draft law provides more information regarding the functioning of a contact tracing app, that only one contact tracing app be available at national level (as opposed to several apps), and that any data protection impact assessments conducted in relation to such app be submitted to the authority. Read more


APD opinion (n° 42) on draft law Royal Decree of Special Powers No. 18 (25 May 2020)

Name of applicant: President of the House of Representatives, Patrick Dewael

Summary: APD states that its main complaints (e.g. the clarification of the data retention period or on the data controller) had not been addressed and demands that the bill be restructured, respecting the principles of necessity and proportionality. Read more


APD opinion (n° 36) on draft law Royal Decree of Special Powers No.18, which sets the legal basis for the creation of a huge centralized database (29 April 2020)

Name of applicant: Secretary of State for Social Fraud, Privacy and the North Sea, Philippe De Backer

Summary: APD states that adoption of Royal Decree of Special Powers No.18, which sets the legal basis for the creation of a huge centralized database, would breach European data protection law. The APD highlights a series of points that must be addressed, insisting that the preliminary draft be restructured and that it provides more clarity, e.g. the sources and type of data collected, the data controller, the retention period, who will have access to the data and why. The APD also underlined the importance of the principles of necessity and proportionality and pointed out that its opinion was only requested at the last minute. Read more


APD opinion (n° 34) on preliminary draft Royal Decree that empowers the King to take measures to combat the spread of COVID-19, in the context of the use of digital contact tracing applications as a preventive measure against the spread of COVID-19 (28 April 2020)

Name of applicant: Secretary of State for Social Fraud, Privacy and the North Sea, Philippe De Backer

Summary: The APD issued an opinion on the use of contact tracing apps to contain COVID-19. It highlighted the importance of the right to privacy, the principle of proportionality and the need for the app to be less intrusive than other measures that would achieve the same result. Read more


Germany: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)

Statement: the data protection around the Corona-Warn-App is sufficient but DPIA and source code must be published and weak points around telephone hotlines must be fixed (16 June 2020)

Summary: The BfDI comments that it is essential to publish the data protection impact assessment (DPIA) and the source code. It insists that the project’s transparency is critical for the acceptance rate. The BfDI calls for adjustments in particular regarding the telephone hotline, which people who were diagnosed with COVID-19 can contact to receive a QR-code that they can upload in the app (if for example a laboratory is unable to generate a QR-code). The BfDI recognises the utility of a hotline, but says that it “cannot keep up with a completely pseudonymous use of the app”. Read more


Letter to the Ministry of Health concerning a possible legal framework regulating the Corona-Warn App (13 May 2020)

Summary: The BfDI wrote in a letter to the Federal Minister of Health that if health data should be processed beyond its original purpose in the sense of Article 9 Paragraph 1 GDPR and without the knowledge of data subjects, then the processing of data collected by the app is not legitimate. In such a case, a legal regulation is required, in which the legislature has to demonstrate in particular the proportionality and thus also the necessity and suitability of the data processing for a legitimate purpose. It also notes the use of the app by minors and points out that younger children cannot legally consent to data processing. They would therefore need consent from their legal guardian. At the time the letter was published, the BfDI was discussing this with the developers of the app. Read more


Italy: Garante Per La Protezione Dei Dati Personali (Garante)

Garante authorizes the use of the contact tracing app "Immuni" on the basis of the DPIA it received from the Ministry of Health (01 June 2020)

Summary: Garante decided that the measures taken by the Ministry of Health sufficiently protect the rights of the data subjects, and thus authorized the use of Immuni. It did, however, point out 12 critical features that the Ministry must address within 30 days. These include that users must be better informed about the functioning of the app’s algorithm; that they must be informed that the system can generate exposure notifications that do not always reflect an actual risk (false positives); that users must be allowed to temporarily deactivate the app; that the DPIA needs more information on the data subjects’ right of cancellation; and that the role of Bending Spoons, Apple and Google must be clarified on the basis of the accountability principle. Read more


Garante's opinion on Italy's Decree 28 on 30 April 2020 (29 April 2020)

Name of applicant: The Presidency of the Council of Ministers

Summary: The Presidency of the Council of Ministers requested the opinion of Garante on the legislative proposal (Decree 28) for the tracing of contacts between subjects via a mobile phone application as part of the government's containment strategy. The proposed decree is aimed at regulating the processing of personal data for the purpose of tracing contacts between subjects who have voluntarily installed a mobile phone application. In its opinion, Garante expressed an overall favorable opinion as it appears to comply with the criteria indicated by the Guidelines of the European Data Protection Board (EDPB) of 21 April. Read more


Informal hearing (videoconference) of the President of Garante on the use of new technologies to contain the spread of COVID-19 (8 April 2020)

Summary: Garante presented its position on the use of new technologies to stop the spread of the virus at a parliamentary hearing. It argued that Bluetooth technology for contact tracing is the preferable option. Garante underlined the importance of voluntary use, data minimization, the need for a well-defined data-retention period and a legally guaranteed purpose limitation. It estimated that at least 60% of the population would have to use the app and give their consent in order to achieve effectiveness. Garante shared the position taken by the European Data Protection Supervisory (EDPS) that favours the adoption of a unified data tracing scheme at European level. Read more


Lithuania: State Data Protection Inspectorate (VDAI)

VDAI imposes fines for GDPR breaches (26 February 2021)

Name of applicant: Human Rights Monitoring Institute (HRMI)

Summary: After the temporary suspension of the quarantine app in May 2020, the VDAI fined the National Public Health Center (NVSC) and the company UAB IT Solutions Success for violating Articles 5, 13, 24, 32, 35 and 58 (2) (f) GDPR. The NVSC was fined 12,000 EUR and UAB IT Solutions Success 3,000 EUR. After conducting an investigation, the VDAI found that both the NVSC and the company are joint data controllers, although both denied such status. The VDAI found that the NVSC and UAB IT Solutions Success processed personal data intentionally and to a large extent illegally. Read more


VDAI decides to suspend quarantine app (25 May 2020)

Name of applicant: Human Rights Monitoring Institute (HRMI)

Summary: The State Data Protection Inspectorate (VDAI) suspended the Karantinas app due to possible breaches of European data protection law. Following a Freedom of Information request, it informed the Lithuanian NGO Human Rights Monitoring Institute (HRMI) that the developers of the app sought no prior consultation provided in Article 36 of the GDPR. It decided to initiate an investigation and suspend the app following information gathered from the press because it was not clear who the data controller was. The decision was based on suspicion that the processing of personal data by this app may violate the principle of accountability enshrined in Article 5(2) of the GDPR and, possibly, the requirements of Article 5(1) of the GDPR. In response to an inquiry by the HRMI as to the progress of the investigation, the VDAI responded that due to huge amount of information to be handled the investigation was still ongoing. As of 17 February 2021, the investigation was still ongoing. Read more


General statement on the protection of personal data during COVID pandemic (22 April 2020)

Summary: Information on general principles of personal data protection and regarding the processing of personal data by competent public health authorities within Lithuania’s Law on Electronic Communications. Read more


Poland: Urzad Ochrony Danych Osobowych (UODO)

UODO replies to request of the Polish Ombudsman for an evaluation of the quarantine enforcement app (Kwarantanna domowa) (19 June 2020)

Name of applicant: Polish Ombudsman for Citizens Rights, Adam Bodnar

Summary: In its reply, UODO states that it does not see the need to take additional actions and rejects the Ombudsman's request. Instead, it provided a list of its activities, such as participation in the work of the European Data Protection Board (EDPB), that it participated in consultations and simply redirected the Ombudsman to its website, where the latter could find more information. Read more


UODO sends a letter to the Ministry of Digital Affairs pointing out three issues related to the contact tracing app ProteGo Safe (30 April 2020)

Summary: UODO writes to the Ministry of Digital Affairs about three problems related to the ProteGo Safe application: First, the need to organize the privacy policy and regulations. (UODO signaled that it was unclear who was responsible for the operation of the application, the Ministry of Digital Affairs or the Chief Sanitary Inspector.) Second, there was reference to the legal basis for data processing. According to UODO, consent is the only acceptable basis for the processing of data of users. It criticized the application’s failure to provide in advance reliable information to its users about the data processed. Third, the lack of a data protection impact assessment (DPIA). Read more


Slovenia: Informacisjki Pooblascenec (IP)

IP issues opinion on employer's request that employees install the contact tracing app (21 October 2020)

Summary: The IP states that there must be an appropriate and lawful legal basis for any processing of personal data, in line with Article 6 (1) of the GDPR. Regarding the use of the application, IP reminds that it has repeatedly emphasized that the use of the app is on a voluntary basis, and this also applies to the use of the application in the context of employment. Therefore, the IP concludes that the legal basis that would give the employer the right to require the employee to download the contact tracing app does not exist. Read more


IP issues statement on government's SMS contact tracing app promotion campaign (11 September 2020)

Summary: In early September, the government launched a massive SMS promotion campaign, inviting people to install and use the app. The IP received numerous complaints and questions concerning the legality of this campaign. In this statement, the IP clarifies that it is not its responsibility as it falls within the competencies of the Agency for Communication Networks and Services of the Republic of Slovenia (AKOS). Read more


IP issues statement reacting to DPIA issued by Ministry of Public Administration (30 July 2020)

Summary: The IP highlights that the DPIA was made after the law had passed. It argues that even though a government representative publicly stated that the app would be voluntary, the law still said that it is mandatory, with fines between 100 and 600 EUR for people who did not use it. It also highlighted that no data controller had so far been identified and that there had been no clarification as to the purpose limitation of personal data. Read more


IP sends opinion calling on the National Assembly not to adopt the new bill that would make the contact tracing app mandatory for people in quarantine (02 July 2020)

Summary: The IP sent an opinion to the National Assembly urging it not to adopt the Fourth COVID-19 Act, which would pave the way for mandatory use of a contact tracing app. It also sharply criticizes Article 24, which enables authorities and various providers of telecommunications to monitor the location of citizens who use the contact tracing app. It also highlights that the IP was not previously consulted "despite the fact that it is a very sensitive matter from the point of view of protecting the fundamental right of individuals to the protection of personal data and privacy." Read more


IP issues statement on the upcoming bill that creates a legal basis for the introduction of a contact tracing app (26 June 2020)

Summary: The IP comments on the upcoming bill that it was informed by through the media. It criticizes the government's intention to make the contact tracing app mandatory for people in quarantine and lists key points that must be considered when introducing such an app (e.g. dissuades use of location tracking; recommends measures to prevent re-identification, introduce safeguards including a reference to the voluntary nature of the app, clearly define a purpose, conduct and publish a data protection impact assessment). Read more


IP issues opinion on the tracking of individuals suffering from COVID-19 via mobile phone applications (09 April 2020)

Name of applicant: Ministry of Health

Summary: The IP reminds the Ministry that it is essential to first carry out an impact assessment with clear technical parameters of the application in terms of its objectives and the principle of proportionality, and only then consider drafting a legal framework. The IP also highlighted the need for transparency (what data will be processed, for what purposes, where and how it will be stored, who will be the data controller, what will be the legal basis, how long it will be stored, etc.). Read more


Spain: Agencia espanola proteccion datos (AEPD)

AEPD reacts to government's press release that claims that the agency was involved in the development of the contact tracing app from the start (23 June 2020)

Summary: AEPD reacts to a press release by the government, clarifying that its involvement in Radar COVID was actually very limited and complaining about the poor collaboration with the Secretary of State for Digitalization and Artificial Intelligence (SEDIA), who is in charge of the development of Radar COVID, and in particular the latter’s unwillingness to provide enough information to assess whether it complied with the EU’s General Data Protection Regulation (GDPR). Read more


AEPD announces investigation via Twitter (21 May 2020)

Summary: The AEPD indicates in a tweet that it will be launching an investigation into the government’s plans to launch a contact tracing app (Radar COVID): "The AEPD begins investigative actions to obtain information on the app for tracking possible COVID-19 infected [persons] announced yesterday by the Vice President and Minister of Economic Affairs, project of the Secretary of State for Digitalization and Artificial Intelligence". Read more


AEPD statement on coronavirus self-assessment apps and websites (26 March 2020)

Summary: AEPD sets out contact tracing app principles, underlining that the COVID-19 crisis should not lead to the suspension of data protection rights. Read more


AEPD statement in relation to websites and apps that offer self-assessments and advice on the coronavirus (16 March 2020)

Summary: AEPD issues warning about the proliferation of unofficial web and mobile apps that collect sensitive health data, pretending to be from the Ministry of Health. Read more


European Data Protection Board (EDPB)

Statement on the data protection impact of the interoperability of contact tracing apps (16 June 2020)

Summary: The EDPB understands that an interoperable network of contact tracing apps may increase their effectiveness, as they would cover more possible contacts, particularly for individuals who live in border regions or travel. In addition to the issues it already highlighted in its Guidelines 04/2020, the EDPB highlights further data protection issues related to the interoperability of the apps, including: users' control over their data, transparency, legal basis, controllership, exercise of data subject rights, data retention and minimization, information security and data accuracy. Read more


Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (21 April 2020)

Summary: With these guidelines, the EDPB provides practical guidance for GDPR-compliant COVID-19 contact tracing tools. It provides a series of recommendations, including: data protection impact assessments (DPIAs) must be carried out before implementing such apps and they must be published; installation must be voluntary and those refusing to use them should not be discriminated against; there must be clarity as to who the data controller is; the source codes should be publicly available; contact tracing apps do not require tracking the location of individuals - instead, proximity should be used; GDPR principles, such as of data minimization and data protection by design and by default, must be taken into consideration; data must be deleted once no longer required. The EDPB also encourages “a common European approach in response to the current crisis, or at least put in place an interoperable framework.” Read more


Statement on the processing of personal data in the context of the COVID-19 outbreak (19 March 2020)

Summary: The EDPB confirms that, even during a crisis such as the COVID-19 pandemic, the data controller and processor must ensure the protection of personal data. However, it also acknowledges that an emergency may legitimize restrictions of freedoms, provided these are proportionate and limited to the emergency period. The EDPB notes that personal data can be processed by competent public authorities assuming that there is a legal mandate provided by national law. In the employment context, employers are allowed to process personal data provided that they have appropriate legal grounds, such as public interest in public health or protection of vital interests (Art. 6 and 9 GDPR). With regard to the processing of telecom data, such as location data, the EDPB states that public authorities should first seek to process location data in an anonymous way. When this is not possible, EU Member States can introduce legislative measures on grounds of national and public security provided it constitutes a necessary, appropriate and proportionate measure within a democratic society. Read more


European Data Protection Supervisor (EDPS)

EDPS comments on cross-border exchange of data between national COVID-19 contact tracing and warning mobile applications (9 July 2020)

Summary: EDPS comments on the Commission draft implementing decision amending Implementing Decision 2019/1765 as regards the cross-border exchange of data between national contact tracing and warning mobile applications with regard to combatting the COVID-19 pandemic. Read more


TechDispatch: Contact Tracing with Mobile Applications (7 May 2020)

Summary: Contains explanations on what contact tracing is, data protection implications, data protection by design, purpose limitation, transparency issues and more. Read more

Country Reports | Data Protection Authorities | Policy Bodies | Courts | Legal Acts
Information Hub

COVID-19 Contact Tracing Apps in the EU

Find out more