Table 2.
GDPR and ePrivacy Directive best practices for contact-tracing solutions
| Principles | Definitions | Best Practices |
|---|---|---|
| Access to terminal equipment | Article 5(3) ePrivacy Directive requires either (i) the user’s freely given, specific, informed and unambiguous consent or (ii) to justify that the storage and access is strictly necessary to ensure the proper functioning of a service explicitly requested by the user | In the context of contact tracing apps, it could be argued that access to terminal equipment is strictly necessary for the functioning of BLE-based digital contact tracing solutions |
| Lawfulness | Article 5(1)a GDPR requires controllers to justify personal data processing using one of the lawful grounds listed in Article 6(1) | As suggested by the EDPB, the appropriate lawful ground would be, in most cases, Article 6(1)e (task carried out in the public interest) |
| Special categories of personal data | Article 9(1) prohibits the processing of special categories of personal data unless one of the exemptions listed in Article 9(2) applies | As suggested by the EDPB, the relevant exemption would be, in most cases, Article 9(2)i (reasons of public interest in the area of public health) or h (preventive or occupational medicine) |
| Transparency | Articles 12, 13 and 14 GDPR require controllers to report about their processing activities in a concise, transparent, intelligible and easily accessible form, using clear and plain language |
-Provide the identity and contact details of the controller, the purposes and lawful ground of the processing, the recipients of personal data if any, the retention period and the existence of the multiple prerogatives granted to data subjects such as the right to access and erasure -Transparent and verifiable development through open-source code, external audits and publicly available Data Protection Impact Assessments |
| Purpose limitation | Article 5(1)b GDPR requires personal data to be (i) collected for explicit, specified and legitimate purposes, i.e. purpose specification, and (ii) not further processed in a manner that is incompatible with those purposes, i.e. compatibility assessment |
-Only collect personal data the repurposing potential of which is limited, such as ephemeral identifiers -Avoid the bundling of functionalities within the same app (e.g., a single app providing general information, symptom checker features and contact tracing) or grant users granular control over which of them he or she wishes to opt-in to |
| Data minimisation | Article 5(1)c GDPR Requires controllers to only collect and further process personal data that is necessary to the purposes that have been specified |
-Avoid the use of geolocation and/or movement data (BLE is less privacy-invasive) -Avoid storing the exact time of contact or any type of metadata that is not specific to the contact or duration |
| Storage limitation | Article 5(1)e GDPR Tailor the retention period according to the purposes of the processing | Proximity data should be deleted as soon as they are no longer necessary for alerting individuals (or EphIDs in the case of BLE-based solutions) or any personal data stored in the backend server |