Le condizioni ricavabili dal Regolamento generale sulla protezione dei dati per le applicazioni nazionali di tracciamento dei contatti: alcune considerazioni

In order to manage the COVID-19 pandemic, several EU Member States have decided to use contact tracing apps, which can display different characteristics: some of them rely on Blue-tooth technology, while others on GPS location; some of them adopt a decentralised approach in data collection, while others a centralised approach. The present Insight focuses on the conditions that such apps must follow in order to be respectful of the General Data Protection Regulation (GDPR). First of all, it is necessary to choose a suitable legal basis for the processing, remembering that when sensitive data (such as health data) are collected the range of possibilities is even nar-rower. Depending on such choice, the processing is subject to different limits. Secondly, there are many principles which must be followed in any case, such as purpose limitation, data minimisation and storage limitation. Finally, the data subject must be put in a position to exercise his rights, and the data controller must fulfil obligations such as carrying out an impact assessment and adopting adequate security measures. Taking into consideration such conditions, it seems clear that accord-ing to the GDPR some contact tracing apps are more preferable than others, depending on their characteristics. In conclusion, it is possible to state that the GDPR balances public health and data protection by suggesting a graduality principle: the less privacy-invasive solution must be chosen, and it can be incremented only if the purposes cannot be sufficiently achieved. It is the only way to build trust in the users and therefore guarantee the effectiveness of the measures.