Geolocation Data and COVID-19: Argentina’s Data Protection Authority Issues GuidanceMay 7, 2020
Argentina's data protection authority has issued guidance on processing geolocation data in the context of the COVID-19 health emergency.
- All information referring to the location of a person and/or their movements constitutes personal data.
- Location data is defined as information collected by a network or service about where the user's phone or other device is or was located.
- Location data can be inferred by GPS (global positioning system), cell towers (mobile phone operators), WiFi networks, Bluetooth or a combination of signals
- The state authorities will be authorized to carry out the monitoring as long as they do it within the scope of their specific competence. Said competence must be interpreted strictly and not broadly. When they do not have this authorization, monitoring must be based on another alternative legal basis, such as consent.
- For the transfer of data referring to the location of a person and/or his movements between public bodies, the consent of the owner of the data is not required to the extent that the transferor has obtained the data in the exercise of his functions, the assignee uses the data intended for a purpose that is within the framework of its competence, and finally, the data involved is adequate and does not exceed the limit of what is necessary in relation to this latter purpose.
- Those responsible for the processing of personal data may carry out monitoring activities if the data is anonymized
- When monitoring is authorized by the consent of the owner of the data, the person responsible for the processing of personal data must give the owner the opportunity to revoke it at any time.
- To monitor or follow the geolocation of a person, those responsible for the processing of personal data must at all times respect the principle of data quality, namely:
- The personal data collected for the purposes of its treatment must be true, adequate, pertinent and not excessive in relation to the scope and purpose for which it was obtained.
- The data collection cannot be done by unfair, fraudulent means or contrary to the provisions of law.
- The data subject to monitoring cannot be used for purposes other than or incompatible with those that motivated its collection.
- The data must be accurate and updated if necessary.
- Data that is totally or partially inaccurate, or that is incomplete, must be deleted and replaced.
- The data must be stored in a way that allows the exercise of the rights of access, rectification and deletion of personal data
- The data must be destroyed when it is no longer necessary or pertinent to the purposes for which they were collected
- You must clarify how and why you track people, where the information is stored, with whom that data is shared, the consequences of the treatment and the possibility that the owner of the data has to exercise access rights, rectification or deletionץ
- The data must be stored so that the principles of security and confidentiality under the law are maintained.
- The person responsible for the processing of personal data carry out an evaluation of impact prior to the implementation of the tool, in order to control and mitigate its risks, as well as assess its viability.
Odia Kagan is Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].