COVID-19 IMPACT ON PERSONAL DATA PROCESSING

Privacy is a constitutional right in the Albanian jurisdiction, specifically regulated under article 35 of the Constitution of the Republic of Albania.

First paragraph of article 35 provides that: “No one can be forced to disclose its personal data except when such disclosure is required by law”. Second paragraph thereof provides that: “Collection, use and disclosure of any personal data is performed with the consent of the data subject, except in the cases provided by law.”

Hence, although a constitutional right, the right to privacy is not absolute as it may be subject to restrictions in some specific cases provided by the law.

Specifically, processing of personal data is governed and regulated by Law no. 9887 dated 10.03.2008 “On protection of personal data” as amended (hereinafter referred to as the “Law”).

Article 5 of the Law sets out the principles of protection of personal data which imply that personal data must be: (i) processed fairly and lawfully; (ii) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes, (iii) adequate, relevant and not excessive in relation to the purposes for which they are processed; (iv) accurate, (v) kept for no longer than it is necessary for the purposes for which the data are processed.

Article 6 of the Law provides that personal data may be processed only if: (i) the data subject has given its consent, (ii) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into or with the aim of amending a contract, (iii) protection of essential welfares of the data subject, (iv) processing is necessary for compliance with a legal obligation to which the controller is subject, (v) processing is necessary for the exercise of a duty with an impact on public interest or for the exercise of a power vested to the controller or to a third party to which the personal data are disclosed; (vi) processing is necessary for protection of the legitimate rights and interests of the controller, recipients or other interested parties.

In the current situation created by the spread of COVID-19 virus, naturally came out the necessity to adopt special measures by the Albanian government. These measures were formalized inter alia with the declaration of the state of natural disaster upon Decision of the Council of Ministers no. 243 dated 24.03.2020, which determined certain restrictions on several constitutional rights such as the inviolability of the residence, right to private ownership, right to select the place of residence and the free circulation, right to labor and to strikes.

Despite not explicitly restricted in the framework of the measures undertaken by the public authorities, another constitutional right which is affected due to these measures is the right to privacy.

Pursuant to the regulatory acts adopted in the framework of the measures undertaken to contrast spread of COVID-19 virus, certain private and public entities are vested and/or assigned specific duties for the transition of the emergency situation, which execution requires an increased and not ordinary flow of personal data processing. We could name a few like the State Police, which commitment in support of the ministry responsible on health, is provided by the Normative Act no. 2 dated 11.03.2020 of the Council of Ministers “On some addendums and amendments to Law no. 15/2016 “On prevention and fight against spread of infection and infective diseases” as part of the measures undertaken to contrast the spread of COVID-19 virus.

The exercise of these powers, consisting of limited circulation of citizens, abrupt house controls, tracing location data of citizens who have entered the Albanian territory from countries with epidemiological risk and are subject to self-quarantine, requires processing of personal data, which in some cases involve as well health data, classified by the Albanian legislation on personal data protection, as sensitive data.

In the current situation, the processing of personal data is based on article 6 (d) of the Law: “…..processing is necessary for the exercise of a duty with an impact on public interest or for the exercise of a power vested to the controller or to a third party to which the personal data are disclosed;”. In case the processing involves sensitive data, it may be grounded on article 7 (dh) of the Law: “processing of personal data is necessary for preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by health professionals or by other persons which are subject to confidentiality obligations.”.

The concern that arises is related with the appropriate processing of these data.

In this context the Information and Data Protection Commissioner has issued the Guidance dated 20.03.2020, on “Protection of Personal Data in the Fight Against COVID-19”, as well as the Guidance dated 06.04.2020, on “Processing of Personal Data in Specific Sectors in the Framework of Measures Adopted Against COVID-19”.

In the above mentioned guiding documents, the Commissioner recognizes the necessity to an increased processing and exchange of personal data and provides guidance on public and private controllers in connection with the grounds to adopt for their processing without having to collect the consent of the data subject or obtain any preliminary authorization by the Commissioner.

Specifically the Commissioner provides that: (i) processing of employees’ sensitive data connected with their health conditions and compliance with hygiene requirements, (ii) transmission to the competent authorities by telecommunications companies of location data processed in the framework of their ordinary activity, and (iii) processing by such authorities of sensitive data for the epidemiological surveillance, performed in the framework of the measures undertaken to prevent the spread of COVID-19 virus, do not constitute violation of the legislation on data protection.

On the other hand, the Commissioner provides guidance on the controllers in connection with the proper interpretation and fair implementation of the legislation governing protection of personal data in the framework of the measures adopted to contrast the spread of COVID-19, as well as highlights the obligation of the controllers to protect the personal data processed from any potential impair.

The Commissioner invite controllers to address their attention mainly on three topics: (i) adequacy of personal data processed, or otherwise that personal data must relevant and not excessive in relation to the purposes for which they are processed (ii) adoption of technical and organizational measures to ensure safety and confidentiality of data, as well as (iii) ensure that the personal data are properly destroyed upon termination of the emergency period, or otherwise once the purpose of the processing is not anymore applicable.

Violation of the legal requirements would constitute grounds for data subjects which are affected from unfair processing of personal data to undertake legal actions against the responsible controllers.

In addition, the Guidance mentioned above, reflects the message of the Declaration of the Executive Committee of the Global Privacy Assembly where it is explicitly indicated the constructive approach that the data protection authorities must adopt towards public and private controllers to the benefit of the fight against the spread of the virus. The data protection must not be understood in a way to impede the successful and efficient addressing of the situation created by the spread of COVID-19 virus.