In Europe

AST Private Company Solutions Leverages Box Platform to Power Astrella and Transform the Private Ownership Market

Wednesday, June 3, 2020 - 2:00pm

AST Private Company Solutions (AST PCS) today announced that it is leveraging Box Platform to power AST PCSs new Astrella capitalization (cap) table and ownership data management system, providing users with an encrypted cloud environment and immediate access to Boxs secure cloud content management platform, data storage and collaboration tools.

Key Points: 
  • AST Private Company Solutions (AST PCS) today announced that it is leveraging Box Platform to power AST PCSs new Astrella capitalization (cap) table and ownership data management system, providing users with an encrypted cloud environment and immediate access to Boxs secure cloud content management platform, data storage and collaboration tools.
  • By building this new feature on the Box Platform, Astrella users are able to seamlessly maintain company documents more securely and comply with the General Data Protection Regulation (GDPR).
  • Astrella was developed by AST PCS, the Silicon Valley-based unit of ownership data management leader AST , as a transformative technology in private company shareholder management.
  • Founded in 2019, AST PCS is an affiliate of AST and is focused on serving private companies worldwide.

MESA FINAL DEADLINE MONDAY: ROSEN, NATIONALLY REGARDED INVESTOR COUNSEL, Reminds Mesa Air Group, Inc. Investors of Important June 1 Deadline in First Federal Securities Class Action Filed by the Firm – MESA

Saturday, May 30, 2020 - 8:15pm

To join the Mesa class action, go to http://www.rosenlegal.com/cases-register-1825.html or call Phillip Kim, Esq.

Key Points: 
  • To join the Mesa class action, go to http://www.rosenlegal.com/cases-register-1825.html or call Phillip Kim, Esq.
  • toll-free at 866-767-3653 or email pkim@rosenlegal.com or cases@rosenlegal.com for information on the class action.
  • Rosen Law Firm represents investors throughout the globe, concentrating its practice in securities class actions and shareholder derivative litigation.
  • 1 by ISS Securities Class Action Services for number of securities class action settlements in 2017.

FPF Releases New Report on GDPR Guidance for US Higher Education Institutions

Saturday, May 30, 2020 - 9:00pm

Today, FPF released The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions by Senior Counsel Dr. Gabriela Zanfir-Fortuna.

Key Points: 
  • Today, FPF released The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions by Senior Counsel Dr. Gabriela Zanfir-Fortuna.
  • The new report contains analysis and guidance to assist United States-based higher education institutions and their edtech service providers in assessing their compliance with the European Unions General Data Protection Regulation (GDPR).
  • When the GDPR came into effect, there was limited guidance and decisions available to help US higher education institutions and edtech companies in understanding their obligations.
  • Amelia Vance, FPFs Director of Youth & Education Privacy, cautioned that many U.S.-based institutions remain unprepared, despite the high stakes.

Questionmark Launches ‘GDPR for business professionals’ to Guard Against Fines and Breaches

Tuesday, May 26, 2020 - 1:46pm

GDPR for business professionals will tell organizations how well their people understand their responsibilities.

Key Points: 
  • GDPR for business professionals will tell organizations how well their people understand their responsibilities.
  • Only 20% believe they are fully GDPR compliant.1 Yet a breach in GDPR can incur a fine of 20million.
  • GDPR for business professionals will give organizations confidence that relevant staff members understand whats expected of them.
  • It now provides ready-made assessment content, such as GDPR for business professionals , as well as the assessment platform and professional services.

ICC Launches AOKpass Declaration for COVID-19 Health Data Protection

Monday, May 25, 2020 - 11:00am

The International Chamber of Commerce (ICC) has today launched the ICC AOKpass Declaration on COVID-19 Health Data Protection .

Key Points: 
  • The International Chamber of Commerce (ICC) has today launched the ICC AOKpass Declaration on COVID-19 Health Data Protection .
  • Launched on General Data Protection Regulation (GDPR) Day in celebration of the landmark data privacy protection laws in the European Union the Declaration signals a bold vision for a post-COVID-19 world, working together for recovery, prosperity and the upholding of health data protection as a basic human right.
  • The Declaration expressly supports placing strict health data privacy at the core of COVID-19 compliance standards and verification systems, vital for recovery efforts.
  • The ICC AOKpass system, endorsed under the Declaration, will provide an international technical standard for COVID-19 compliance with strict inbuilt health data protection (also known as privacy-by-design under the GDPR).

Fine proposed for Danish recruitment company

Wednesday, May 20, 2020 - 10:01pm

The Danish Data Protection Authority considers that in a case on the right of access, the Danish recruitment company JobTeam has not met the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.

Key Points: 
  • The Danish Data Protection Authority considers that in a case on the right of access, the Danish recruitment company JobTeam has not met the basic requirements of the General Data Protection Regulation (GDPR) that personal data must be processed lawfully, fairly and transparently.
  • JobTeam has been reported to the police and a fine of DKK 50.000 has been proposed.
  • Fine proposal

    The Data Protection Agency has decided to report JobTeam to the police and recommended that the company should pay a fine.

  • At the same time, when setting the amount of the fine, the Authority emphasises that the fine must be proportionate.

Twenty-eighth Plenary session: Art. 64 GDPR Opinion on draft SCCs submitted by the SI SA, Publication register of Art. 60 GDPR (OSS) Decisions

Wednesday, May 20, 2020 - 10:00pm

64 GDPR opinion on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority (SA) and decided on the publication of a register containing one-stop-shop decisions.

Key Points: 
  • 64 GDPR opinion on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority (SA) and decided on the publication of a register containing one-stop-shop decisions.
  • The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for controller-processor contracts submitted to the Board by the Slovenian Supervisory Authority.
  • If all recommendations are implemented, the Slovenian SA will be able to adopt this draft agreement as Standard Contractual Clauses pursuant to Article 28(8) GDPR.
  • The EDPB will publish a register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art.

Blockpass, Tozex Collaborate on Fully KYC & AML Compliant Crypto Asset Trading

Thursday, May 7, 2020 - 7:00am

HONG KONG, May 7, 2020 - (ACN Newswire) - Blockpass and crypto asset platform Tozex have announced a strategic collaboration and partnership.

Key Points: 
  • HONG KONG, May 7, 2020 - (ACN Newswire) - Blockpass and crypto asset platform Tozex have announced a strategic collaboration and partnership.
  • One of Tozex' highest values is ensuring the safety and legality of each investment by the investor community and conducted by each company on the Tozex Platform.
  • The strategic collaboration with BlockPass aims to simplify investor identification and KYC processes in the crypto asset industry, as well as ensure full compliance with 5AMLD and GDPR.
  • "Tozex will enable a fully legal and regulated investment process for both companies and investors to create a sustainable ecosystem for SMEs.

Active Navigation's Federal Data Products and Services Available on GSA Schedule Through immixGroup

Tuesday, May 5, 2020 - 1:00pm

The agreement will provide federal customers access to various procurement vehicles for Active Navigation's solutions.

Key Points: 
  • The agreement will provide federal customers access to various procurement vehicles for Active Navigation's solutions.
  • Directives from the Office of Management and Budget (OMB), such as M-19-21 and the 2020 Federal Data Strategy Action Plan, are changing the way federal agencies manage their data.
  • "Through our relationship with immixGroup and leveraging their broad contract portfolio, including the GSA Schedule, Active Navigation makes it easier for agencies to achieve visibility into their data estate, take control of their data and ensure compliance with government regulations," said Peter Baumann, Active Navigation's Chief Executive Officer.
  • Hundreds of companies and government agencies trust Active Navigation to help them control sensitive data and support compliance with various data privacy regulations such as CCPA and GDPR.

European Union’s Data-Based Policy Against the Pandemic, Explained

Friday, May 1, 2020 - 12:01am

Benefitting from a mature and largely harmonized data protection legal framework, the European Union and its Member States are taking policymaking steps towards a pan-European approach to enlisting data and technology against the spread of COVID-19 and to support the gradual restarting of the economy. Here is an overview of key recent events essential to understand EU’s data-based approach against the pandemic:Early on, the European Data Protection Supervisor (EDPS) – which is the supervisory authority of the EU institutions and bodies and also the consultative body on EU legislation that may impact data protection, issued Comments on the European Commission’s plan to access telecommunications data from telecommunications service providers to monitor the COVID-19 spread (March 25), and also issued a public call for a pan-European approach against the pandemic (April 6).Following a detailed Recommendation issued by the European Commission on April 8, the eHealth Network, a voluntary network providing a platform of Member States’ competent authorities dealing with digital health, published a week later a common EU Toolbox for Member States on contact tracing mobile applications. The Presidents of the European Commission and the European Council – which reunites the heads of state or government of EU Member States, published on April 15 an exit strategy, or Joint European Roadmap towards lifting COVID-19 containment measures, where the first two of seven measures proposed are based on the collection and use of data. The Commission also issued guidelines specifically on how these mobile applications should be designed and implemented to respect data protection requirements (April 16). The European Parliament adopted, on April 17, a resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, including specific recommendations and even ‘demands’ for certain safeguards around contact tracing applications, including a decentralized approach. The European Data Protection Board, the EU body reuniting the leaders of all Data Protection Authorities (DPAs) in the EU – meaning the only authorities that are competent to enforce data protection law within Member States both in the public and private sectors, published its Guidelines on contact tracing apps and the use of telecommunications data to fight the effects of the pandemic and Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (April 23). These guidelines come after several other instances where the EDPB quickly provided its view on related pressing issues: a letter to the Commission responding to a consultation on its data protection guidelines mentioned above, and a Statement on the processing of personal data in the context of the COVID-19 outbreak, with a focus on the employer-employee relationship. This contribution looks solely at EU-level policy, which will trickle down to national level.

Key Points: 
  • Benefitting from a mature and largely harmonized data protection legal framework, the European Union and its Member States are taking policymaking steps towards a pan-European approach to enlisting data and technology against the spread of COVID-19 and to support the gradual restarting of the economy. Here is an overview of key recent events essential to understand EU’s data-based approach against the pandemic:
    • Early on, the European Data Protection Supervisor (EDPS) – which is the supervisory authority of the EU institutions and bodies and also the consultative body on EU legislation that may impact data protection, issued Comments on the European Commission’s plan to access telecommunications data from telecommunications service providers to monitor the COVID-19 spread (March 25), and also issued a public call for a pan-European approach against the pandemic (April 6).
    • Following a detailed Recommendation issued by the European Commission on April 8, the eHealth Network, a voluntary network providing a platform of Member States’ competent authorities dealing with digital health, published a week later a common EU Toolbox for Member States on contact tracing mobile applications. 
    • The Presidents of the European Commission and the European Council – which reunites the heads of state or government of EU Member States, published on April 15 an exit strategy, or Joint European Roadmap towards lifting COVID-19 containment measures, where the first two of seven measures proposed are based on the collection and use of data. 
    • The Commission also issued guidelines specifically on how these mobile applications should be designed and implemented to respect data protection requirements (April 16). 
    • The European Parliament adopted, on April 17, a resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, including specific recommendations and even ‘demands’ for certain safeguards around contact tracing applications, including a decentralized approach. 
    • The European Data Protection Board, the EU body reuniting the leaders of all Data Protection Authorities (DPAs) in the EU – meaning the only authorities that are competent to enforce data protection law within Member States both in the public and private sectors, published its Guidelines on contact tracing apps and the use of telecommunications data to fight the effects of the pandemic and Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (April 23). These guidelines come after several other instances where the EDPB quickly provided its view on related pressing issues: a letter to the Commission responding to a consultation on its data protection guidelines mentioned above, and a Statement on the processing of personal data in the context of the COVID-19 outbreak, with a focus on the employer-employee relationship. 
    • This contribution looks solely at EU-level policy, which will trickle down to national level.
    • The responses of national data protection authorities will be analyzed in a second part.
    • It is important to keep in mind that the EDPB acts as a liant between EU level/agreed-upon data protection policy and national implementation.
    1. Preamble: Scientists were here first
      • A lot of attention is now paid to one protocol developed initially under that umbrella but which became independent: the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol.
      • This protocol was developed by over 25 scientists and academic researchers from across Europe and it was also scrutinized and improved by the wider community after being published.
      • Its data protection and security claims are scrutinized and open to feedback on GitHub.
      • Officials from Switzerland (non-EU, but associated country), Austria (EU) and Estonia (EU) announced they plan to implement the DP-3T protocol.
      • These decisions are currently being taken at national level, with the debate shifting every day.
    2. The European Data Protection Supervisor: Early call for Digital Solidarity in the EU
      • The EDPS also pointed out in the Comments that data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics.
      • On April 6, the European Data Protection Supervisor, Wojciech Wiewirowski, doubled down on the European approach against the pandemic and issued a public message for EU Digital Solidarity.
      • He recalled that big data means big responsibility and pointed out that responsibility also means we should not hesitate to act when it is necessary.
      • There is also responsibility for not using the tools we have in our hands to fight the pandemic.
      • Wiewirowski called for a pan-European model of a COVID-19 mobile application, coordinated at EU level.
    3. The European Commission: Recommendation for a common approach to contact tracing apps and eHealth Network’s Toolbox

      On April 8, the European Commission published a Recommendation on ‘a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data’. This Recommendation set up a process for developing a common approach within the EU to use digital means to address this crisis, referred to as a Toolbox.
    3.1. The Recommendation: Build a common Toolbox, a fragmented approach will not be effective
    • In addition to a pan-European approach for mobile apps designed to fight  the pandemic, the Recommendation also pushes for ‘a common scheme for using anonymized and aggregated data on mobility of populations’, specifically in order to:
      • Model and predict the evolution of the disease;
      • Monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement;
      • Inform a coordinated strategy for exiting from the COVID-19 crisis. 
    • According to the Commission, ‘respect for all fundamental rights, notably privacy as well as data protection, the prevention of surveillance and stigmatization’ should be ‘paramount throughout  the process’. To this end, three key principles are laid out. The proposed Toolbox should:
      1. Strictly apply the purpose limitation principle (‘ensure that the personal data are not used for any other purposes such as law enforcement or commercial purposes’);
      2. Ensure regular review of the technical solutions proposed and ‘set appropriate sunset clauses’;
      3. Ensure that ‘the processing is effectively terminated and the personal data concerned irreversibly destroyed’, unless their scientific values for research outweighs the impact on the rights concerned. Any such further processing  should be done ‘on the advice of ethics boards and data protection authorities’. 
      • It also pointed out that a fragmented and uncoordinated approachrisks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing serious harm to the single market and to fundamental rights and freedoms.
      • Therefore, the Commission considers that a pan-European approach is necessary both for the economy preserving the single market, and for a coherent fundamental rights approach across the EU.
      • Further recommendations are made for each of the two envisaged scenarios involving data mobile apps and the use of aggregated telecommunications data.
      • The Commission does not express any preference for a specific architecture of contact tracing apps (centralized v. decentralized).
    3.2. The Common Toolbox: adopted by the eHealth Network and pushed against tech solutionism
    • The Toolbox sets out various relevant parameters to enable a coordinated development and use of ‘officially recognized contact tracing applications and the monitoring of their performances.’ It provides a detailed list of baseline requirements and functionalities that should be taken into account (see Annex I of the document), which have been ‘identified collectively by Member State authorities who are considering the launch of an app to support contact tracing.’ In eHealth Network’s view, the essential requirements for national apps are that they should be:
      • Voluntary;
      • Approved by the national health authority;
      • Privacy-preserving, with personal data securely encrypted;
      • Dismantled as soon as no longer necessary.
      • The Toolbox was adopted by the eHealth Network which is a voluntary network1 that provides a platform of Member States competent authorities dealing with digital health.
      • Enlisting the support of Member States for a pan-European approach of relying on data to fight the pandemic is essential.
      • This is because the European Union does not have exclusive competence on health matters.
      • Primary responsibility for health protection and, in particular, healthcare systems continues to lie with the Member States.2 The document solely focuses on mobile apps for contact tracing.
      • The Toolbox concludes that none of the above two options includes storing of unnecessary personal information.
      • Compared to other guidelines, there is more detailed focus in this Toolbox on the epidemiological relevance of any technological solution proposed.
    4. Joint Statement of the Presidents of the Commission and the Council: EU Exit Strategy Roadmap enlists data as key to lifting confinement 
      • This Roadmap contains principles that should guide the Member States and the EU in their exit strategy and a set of seven recommended measures.
      • The first two of these seven measures rely on using data.
      • The first recommended measure is to gather data and develop a robust system of reporting.
      • The second recommended measure is to create a framework for contact tracing and warning with the use of mobile apps which respect data privacy.
      • According to the signatories of the Joint Statement, contact tracing apps are particularly relevant in the phase of lifting containment measures.
      • According to the document, confidence in these applications and their respect of privacy and data protection are paramount to their success and effectiveness.
      • Indeed, the lack of a pan-EU approach to deploying and relying on contact tracing apps would risk enderanging the freedom of movement which is so central to the EU.
    5. The European Commission: Data protection guidance on apps to support the fight against COVID-19
    • This guidance identifies and details ten elements that ensure ‘a trustful and accountable use of apps’:
      • National health authorities (or entities carrying out tasks in the public interest in the field of health) should be the data controller.
      • Ensuring that the individual remains in control (for example, different app functionalities – like information, symptom checker, contact tracing and warning functionalities, should not be bundled so that the individual can provide his/her consent specifically for each functionality).
      • As lawful grounds for processing: relying on consent for the installation of the apps and for placing information, such as random identifiers, on devices, in compliance with the ePrivacy Directive; for further processing, relying on a legal obligation for processing of the personal data by health authorities (Article 6(1)(c) and Article 9(2)(i) GDPR), as long as the law, even if pre-existent to the COVID-19 pandemic, provides for measures allowing for the monitoring of epidemics and meets further requirements set out in Article 6(3) GDPR; keeping in mind that there is a ‘prohibition’ of subjecting individuals to a decision based solely on automated processing which produces legal effect or similarly significantly affects the individual (Article 22 GDPR). 
      • Data minimisation (for example, ‘if the purpose of the functionality is symptom checking or telemedicine, these purposes do not require access to the contact list of the person owning the device’; for contact tracing, the Commission recommends the use of Bluetooth Low Energy (BLE) communications data,  or data generated by equivalent technology, to determine proximity, considering that ‘for the metering of proximity and close contacts BLE communications between devices appears more precise, and therefore more appropriate, than the use of geolocation data (GNSS/GPS, or cellular location data). 
      • Limiting the disclosure of/access to data, with different recommended access permissions depending on the functionality of the app.
      • Providing for precise purposes of processing: the Commission also advises against the use of the data gathered under the above conditions for other purposes than the fight against COVID-19, recommending additional limitations even with regard to processing for scientific research and statistics, which ‘should be included in the original list of purposes and clearly communicated to users.’
      • Setting strict limits to data storage: timelines should be based on ‘medical relevance’, as well as ‘realistic durations for administrative steps that may need to be taken’; for example, proximity data collected by contact tracing apps should be deleted ‘after maximum one month (incubation period plus margin) or after the person was tested and the result is negative’; health authorities may retain it for longer periods ‘for surveillance reporting and research provided it is in an anonymised form.’ 
      • Ensuring data security: the Commission recommends that the data should be stored on the terminal device of the individual ‘in an encrypted form using state-of-the art cryptographic techniques’; in the case that the data is stored in a central server, the access, including the administrative access, should be logged. 
      • Ensuring the accuracy of data: accuracy on whether a contact with an infected person (epidemiological distance and duration) has taken place is essential, to minimise the risk of having false positives.
      • Involving DPAs, which should be consulted in the context of the development of the app; further along, they should keep its deployment under review.
      • To complement the features recommended in the Toolbox for contact tracing apps by the eHealth Network, the Commission published separately, on April 16, data protection guidance for apps to support the fight against COVID-19.
      • This abundance of data protection guidance may be confusing for app developers and for the public authorities wanting to implement apps, considering that both the EDPS and the EDPB have been very active in giving input, following their specific mandate.
      • This specification was included in the letter the EDPB sent to the Commission in response to a consultation on this draft guidance.
      • This would mean that proximity data will be available to the health authorities only after the infected person (after having been tested) proactively shares these data with them.
    6. The European Parliament: A Resolution on EU coordinated action to combat the COVID-19 pandemic
      • The European Parliament adopted on April 17 a Resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, where it recalled that solidarity among the Member States is not an option but a Treaty obligation and forms part of the European values and it sanctioned the lack of coordination and solidarity among Member States at the beginning of the pandemic.
      • Under this latter headline, the Resolution includes specific references to relying on telecommunications data and on contact tracing applications in a way that is congruent with fundamental rights.
      • The Parliament took a stance unequivocally in favor of decentralized contact tracing apps, as opposed to centralized apps, and it pushed for transparency and demonstrable necessity of these apps.
      • While recommending a pan-European approach to the use of contact tracing apps, the Parliament also acknowledged these initiatives seem to be primarily national at this point.
    7. The European Data Protection Board: Ample guidance on enlisting data against the spread of the COVID-19 pandemic 
      • On April 21, it adopted two sets of Guidelines which are essential to inform the responses at national level, one focused on the use of location data and contact tracing tools, and the other one on the processing of health data for research purposes in the context of the COVID-19 pandemic.
      • The Guidelines of the EDPB are very important from two points of view.
      • Second, they are capable of ensuring a harmonized approach across the EU, at a time when national governments prefer to act by themselves, contributing thus decisively to a pan-European approach of the data-based response to the COVID-19 pandemic.
    7.1. Processing of health data for research purposes
    • Starting from the premise that ‘the GDPR is a broad piece of legislation and provides for several provisions that allow to handle the processing of personal data for the purpose of scientific research connected to the COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data protection’, the EDPB published guidance to support compliant scientific research involving health data. Here are some of the key points:
      • What is ‘scientific research’? The EDPB noted that the special GDPR regime for processing of personal data for scientific research purposes applies to ‘a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice’ and the term scientific research ‘may not be stretched beyond its common meaning.’ The EDPB also clarified that when talking about processing of health data for the purpose of scientific research, there are two types of data uses:
    7.2. Location data, ‘notoriously difficult to anonymize’
      • This is a call for any data-based solutions to be grounded in actual needs of authorities to manage the pandemic.
      • Such applications need to be a part of a comprehensive public health strategy to fight the pandemic, including, inter alia, testing and subsequent manual contact tracing for the purpose of doubt removal.
      • Accessing or collecting location data from both these sources falls under the provisions of the ePrivacy Directive.
      • As such, location data collected from electronic communication providers may only be processed under the conditions of Articles 6 and 9 of the ePrivacy Directive.
      • As for collecting location data and other information directly from the terminal equipment (device) of a user, Article 5(3) of the ePrivacy Directive is applicable.
      • The EDPB stopped short of giving some examples on what type of services in the context of COVID-19 can argue they need access to location data because it is strictly necessary to provide the service.
      • However, these exceptions can only be adopted if they concern national security, defence, public security and the prosecution of criminal offenses.
    7.3. Contact tracing: the door was kept open for both centralized and decentralized apps
    • With regard to contact tracing apps, the EDPB points out from the outset that ‘the systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy.’ This is why ‘it can only be legitimised by relying on a voluntary adoption by the users’. The EDPB continues with a series of recommendations:
      • Responsibility: As a first rule, the EDPB underscores that the controller of any contact tracing application should be clearly defined, to ensure accountability. Public health authorities are a natural choice, but ‘other controllers may also be envisaged’. In any case, regardless of the number and nature of actors involved in controlling the data processing through the app, their responsibilities ‘must be clearly established from the outset and be explained to users.’ 
      • Purpose limitation: the purposes of the app must be specific enough to exclude further processing for purposes unrelated to the management of COVID-19, like commercial or law enforcement purposes. 
      • General lawful basis: the storage and access to information already stored on devices are subject to Article 5(3) GDPR, which means that for all data that is not strictly necessary to provide the service requested by the user, consent will be required. For the further processing of data, the EDPB highlights that ‘the mere fact that the use of contact-tracing applications takes place on a voluntary basis does not mean that the processing of personal data will necessarily be based on consent.’ The Board advises that Article 6(1)(e) GDPR is the most relevant legal basis whenever public health authorities or other public authorities are the controllers (meaning the necessity to process data for the performance of a task in a public interest). If this lawful ground will be relied on, additional Union or Member State laws that detail the tasks must be in place. The EDPB seems to suggest new, dedicated legislation is needed, because it will have to provide for meaningful safeguards, including ‘a reference to the voluntary nature of the application’, a clear specification of purpose and explicit limitations concerning the further use of personal data, a clear identification of the controllers involved, and, potentially, ‘as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination. Controllers could also rely on consent as a basis for processing, but in that case they need to ensure all conditions for valid consent are met, including the possibility for users to withdraw consent at any time. 
      • In its closing remarks, the EDPB showed that data and digital technologies can be key components in the fight against COVID-19, but it also warned against the ratchet effect: It is our responsibility to ensure that every measure taken in these extraordinary circumstances are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation.
      • The EDPB added that one should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights.
      • We can achieve both, and moreover data protection principles can play a very important role in the fight against the virus.
    8. Conclusion
      • The push for a pan-European approach, which was sparked by scientists working across borders to build a protocol for a contact tracing app that is privacy preserving, seems to be successful, even if not entirely.
      • Several Member States already announced they will implement the same decentralized protocol for a contact tracing app (Estonia, Austria, but also Switzerland as associated country to the EU), with others, like Germany and Italy, considering now a decentralized approach to contact tracing after having initially announced plans for a centralized approach.
      • Developments at national level, at least in the Member States of the EU, will be ultimately influenced by EU policy.
      • Be it a decentralized or centralized approach to contact tracing, or any of the other necessary uses of personal data for modelling or research in the context of the COVID-19 pandemic, they will all need to follow data protection rules and principles, as provided by EU law.
    Table 1. List of EU policy documents and guidance in relation to COVID-19 and data protection