VDAI - NVSC vs UAB

From GDPRhub
VDAI - Quarantine App ("Karantinas")
LogoLT.png
Authority: VDAI (Lithuania)
Jurisdiction: Lithuania
Relevant Law: Article 5 GDPR
Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 13 GDPR
Article 24 GDPR
Article 32 GDPR
Article 35 GDPR
Article 58(2)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 26.02.2021
Fine: 15000 EUR
Parties: Nacionaliniam visuomenės sveikatos centrui (NVSC)
UAB „IT sprendimai sėkmei“ (Company)
National Case Number/Name: Quarantine App ("Karantinas")
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Lithuanian
Original Source: Valstybinė duomenų apsaugos inspekcija (in LT)
Initial Contributor: n/a

The Lithuanian DPA (VDAI) imposed two fines after investigating the Quarantine App launched by the National Center for Public Health in cooperation with UAB IT Solutions Success. The National Center for Public Health was fined €12,000 for breaching Articles 5, 13, 24, 32, 35 and 58(2)(f) GDPR. UAB IT Solutions Success was fined €3,000 for violating Articles 5, 13, 24, 32 and 35 GDPR.

English Summary

Facts

The Lithuanian DPA (VDAI) launched an investigation into the Lithuanian Quarantine App ("Karantinas") in May 2020 after information in the media that there potentially was unlawful processing of personal data involved. This App was launched by the National Center for Public Health (Nacionaliniam visuomenės sveikatos centrui) and developed by UAB IT Solutions Success (UAB „IT sprendimai sėkmei“).

The App was suspended after preliminary findings which triggered the investigation process. The DPA ordered UAB IT Solutions Success to suspend the processing of personal data. However, UAB IT deleted this data instead.

In the investigation, the DPA found that the personal data of 677 individuals were collected in April 2020. This generally included personal data such as identification number, latitude and longitude coordinates, country, city, municipality, postal code, street name, house number, name, surname, personal code, telephone number, address, 2nd address, whether the place of residence is declared in Lithuania and other information. The processing was conducted in Lithuania, other EU/EEA States, as well as third countries (non-EU such as India and the US).

Dispute

Was the Lithuanian Quarantine App in violation of the GDPR?

Holding

The Lithuanian DPA first established that the National Center for Public Health (Nacionaliniam visuomenės sveikatos centrui) and the Company responsible for developing the App, UAB IT Solutions Success (UAB „IT sprendimai sėkmei“), were joint controllers.

The DPA discovered from its investigation that a Data Protection Impact Assessment had to be done prior to processing in line with Article 35 GDPR. The App concerned processed personal data using new technology as well as a systematic monitoring of data subjects in self-isolation. The App also aimed to process large datasets (data subjects throughout Lithuania and abroad). The processing was intended to be continuous and vulnerable data subjects were concerned.

The DPA found that the National Center for Public Health violated Article 24 and 32 GDPR on the implementation of organisational measures, as well as the principle of integrity and confidentiality found in Article 5(1)(f) GDPR.

The DPA found that both the National Center for Public Health and UAB IT Solutions Success violated the principle of lawfulness Article 5(1)(a) GDPR as they failed to prove that they had a legal basis for processing. The principle of transparency was also infringed (Article 5(1)(a)) . Finally, as neither entities recognised that they were data controllers, the accountability principle was not met (violation of Article 5(2)).

In summary, the DPA found that the National Center for Public Health breached Articles 5, 13, 24, 32, 35 and 58 (2)(f) GDPR and imposed a fine of €12,000 on the public body. In turn, the DPA found that UAB IT Solutions Success violated Articles 5, 13, 24, 32 and 35 GDPR and imposed a fine of €3,000.

The fines reached this level as the National Center for Public Health and UAB IT Solutions Success processed personal data without a legal basis in an intentional way, systematically, without technical and organisational measures. The DPA also took into consideration that this concerned special categories of personal data. Finally, in addition, UAB IT Solutions Success did not comply with the DPA's request to suspend the processing and instead, deleted the personal data collected.

Comment

The DPA's decision can be appealed within 1 month from the date of the decision

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.

2020 May. after the temporary suspension of the use of the Quarantine app, in 2021. February. Following an investigation carried out by the State Data Protection Inspectorate (SDPI), fines were imposed on the National Center for Public Health (NVSC) and UAB IT Solutions Success (the Company), which developed the app, for violations of the General Data Protection Regulation (BDAR).

NVSC 12 thousand. a fine has been imposed for infringements of Articles 5, 13, 24, 32, 35 and 58 (2) (f) of the BDAR. The company has 3 thousand. a fine was imposed for the established violations of Articles 5, 13, 24, 32 and 35 of the BDAR.

2020 In the spring of 2006, the SDPI started monitoring activities in response to information in the media about the possible improper processing of personal data by the Quarantine program. After evaluating the initial information, it was decided to open an investigation and temporarily suspend the processing of personal data by the app.

The study found that when the app became operational in 2020, in April data from 677 individuals were collected. Not all personal data was collected to the same extent, but the app provides processing of personal data such as identification number, latitude and longitude coordinates, country, city, municipality, postal code, street name, house number, name, surname, personal code, telephone number, address, 2nd address, whether the place of residence is declared in Lithuania and other information. According to the submitted data, it was established that the processing of the app data was performed not only in the territory of Lithuania, but also in Europe (Estonia, Switzerland, etc.) and abroad (India, USA, etc.).

After conducting an investigation, the SDPI found that both NVSC and the Company are joint data controllers, although both organizations denied such status.

When deciding on the imposition and amount of the administrative fine, VDAI took into account the fact that NVSC and the Company processed personal data intentionally, to a large extent, illegally, systematically, without providing technical and organizational means to prove compliance with BDAR requirements. , special categories of personal data were processed. In addition, the Company did not comply with the instruction given to it by VDAI to suspend the processing of personal data collected with the help of the app and deleted part of the personal data.

The decision of the SDPI may be appealed to a court within one month from the date of its service in accordance with the procedure established by legal acts.

 

More research information

Data Protection Impact Assessment (DPA). Following an investigation, the SDPI found that a data protection impact assessment (PDAV) had to be carried out in order to process the data. Article 35 (1) of the BDAR provides that in cases where the nature of the processing, in particular the use of new technologies, and the nature, scope, context and purposes of the processing, the rights and freedoms of natural persons may be seriously jeopardized, , performs PDAV of the planned data processing operations before starting the data processing.

The processing of personal data by the app is considered as processing using a new technology, as well as as a systematic monitoring, as in this case the processing is carried out by data subjects using the app for self-isolation monitoring and control. Also, with the help of the app it was planned to process a large number of personal data of data subjects in the whole territory of Lithuania and abroad. In addition, according to the information collected during the VDAI investigation, it can be concluded that the processing of personal data was planned to be carried out on a continuous basis. Persons identified as vulnerable, ie patients, children, the elderly, etc., were treated. personal data, including but not limited to health data.

Among other things, in the opinion of VDAI, NVSC managed state information resources by performing the function of prevention and control of communicable diseases and processing personal data collected by the app, and violated the requirements of Articles 24 and 32 of the BDAR. on the implementation of appropriate organizational measures and the principle of integrity and confidentiality provided for in Article 5 (1) (f) BDAR (personal data must be processed in such a way as to ensure adequate security of personal data by appropriate technical or organizational measures, accidental loss, destruction or damage).

Violated principles. Taking into account that NVSC and the Company have not proved the lawfulness of the processing of personal data carried out by the app, VDAI established a violation of the principle of lawfulness provided for in Article 5 (1) of the BDAR. As neither NVSC nor the Company acknowledged that they were data controllers during the inspection, both denied their liability as data controllers and accordingly did not implement the accountability principle set out in Article 5 (2) of the BDAR. The gadget's privacy policy also violated the principle of transparency by providing incorrect information about data controllers and processors.

Failure to comply with the order. During the inspection of personal data processed by the app, it was important for VDAI to assess the actual scope and nature of personal data processing, therefore VDAI instructed the Company to temporarily suspend the processing of personal data through the app, but the Company deleted the data. By deleting the personal data processed by the app, the company did not properly implement the instruction given to it by VDAI and thus violated Article 58 (2) (f) of the BDAR. It should be noted that such non-compliance with the instructions of VDAI incurs the Company's liability provided for in Article 83 (5) (e) of the BDAR.