Guideline 04/2020 – Use of location data and contact tracing tools in the context of COVID-19 outbreak
Section 3.1 General legal analysis
24 The systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy. It can only be legitimised by relying on a voluntary adoption by the users for each of the respective purposes. This would imply, in particular, that individuals who decide not to or cannot use such applications should not suffer from any disadvantage at all.
25 To ensure accountability, the controller of any contact tracing application should be clearly defined. The EDPB considers that the national health authorities could be the controllers for such application; other controllers may also be envisaged. In any cases, if the deployment of contact tracing apps involves different actors their roles and responsibilities must be clearly established from the outset and be explained to the users.
26 In addition, with regard to the principle of purpose limitation, the purposes must be specific enough to exclude further processing for purposes unrelated to the management of the COVID-19 health crisis (e.g., commercial or law enforcement purposes). Once the objective has been clearly defined, it will be necessary to ensure that the use of personal data is adequate, necessary and proportionate.
27 In the context of acontact tracing application, careful consideration should be given to the principle of data minimisation and data protection by design and by default:
contact tracingapps do not require tracking the location of individual users. Instead, proximity data should be used;
as contact tracing applications can function without direct identification of individuals, appropriate measures should be put in place to prevent re-identification;
the collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary.