Apps Controlling Access in the Age of COVID-19: The Spanish AEPD Weighs In

July 12, 2020Articles

Spanish data protection authority Agencia Española de Protección de Datos (AEPD) has published helpful guidelines on the data protection aspects of using mobile apps intended to control access to places of business while the COVID-19 epidemic rages on:

  • Limited, clear purpose: The purpose must be clearly defined and should be limited to the management of social distance such as capacity control or distance control.
  • Data processing should be effective: The proposed data processing operations must be really effective in relation to purpose and cannot generate false expectations of security in accordance with the principle of fairness of the processing.
  • Data processing must be necessary and proportionate: The implementation of data processing operations in apps must be based on an analysis of necessity and proportionality in order to determine both the use of the app and the minimum data set necessary to achieve the purposes. In particular, the identity of the user, including the use of unique identifiers of any kind or those from the WiFi or bluetooth signal, can only be processed if they are strictly necessary for the purpose of the app.
  • Limited use of special category data: Special categories of data, in particular health data, should not be used except when strictly necessary to manage the spaces reserved for people with disabilities.
  • Use only for the specific purpose of pandemic management/social distancing: The functionalities of the app must be exclusively those necessary to the specific purposes pursued, and should not mix features like loyalty, advertising or social networks. You should not process personal data for any other purpose than in connection with the management of the measures of social distance that justify the implementation of the app.
  • Voluntary use: The use of the app must be of a voluntary nature, based on the consent of the user for the processing of personal data necessary for each of the functionalities that are pursued. The processing must be based on free, informed and specific consent. The use of a certain app should not condition access to public spaces, you should provide alternatives with the same degree of ease of use.
  • Compliance with data protection principles: Ensure compliance with the principles of the General Data Protection Regulation (GDPR) and LOPDGDD (the local Spanish law implementing GDPR) in all the data processing operations carried out, including those related to the need for contracts or legal ties that regulate said treatments when performed by third parties and to ensure adequate security measures.
  • In the case of public spaces, the person responsible for the processing must be the public administration, which will be the one to decide the purposes and means of the treatment of data.
  • Be careful with your third party providers: The use of third-party tools or resources for the implementation or development of the app could include processing of personal data for the purpose of advertising, usage analysis or other reasons, in particular the treatment of unique identifiers and data from geolocation that involves tracking people or profiling. Therefore, use only those that offer enough guarantees that said processing is compliant with data protection principles.
  • Delete when no longer necessary: The personal data processed must not be stored beyond the necessary time to fulfill the purposes pursued, except for data that is necessary to keep by legal obligation.
  • Common solutions to access: As much as possible, adopt common solutions for access to different public spaces in the same environment (city, province, region), so as to avoid exposing users to the potential risks of multiple apps.
  • Children's data: Processing personal data of children under 14 for this type of app must be consented to by their parents or guardians.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. She can be reached at [email protected] or 215.444.7313.