ADA - Quarantine App ("Karantinas")
|ADA - Quarantine App ("Karantinas")|
|Relevant Law:||Article 5 GDPR|
Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 13 GDPR
Article 24 GDPR
Article 32 GDPR
Article 35 GDPR
Article 58(2)(f) GDPR
|Parties:||Nacionaliniam visuomenės sveikatos centrui (NVSC)|
UAB „IT sprendimai sėkmei“ (Company)
|National Case Number/Name:||Quarantine App ("Karantinas")|
|European Case Law Identifier:||n/a|
|Original Source:||Valstybinė duomenų apsaugos inspekcija (in LT)|
The Lithuanian DPA (VDAI) imposed two fines after investigating the Quarantine App launched by the National Center for Public Health in cooperation with UAB IT Solutions Success. The National Center for Public Health was fined €12,000 for breaching Articles 5, 13, 24, 32, 35 and 58(2)(f) GDPR. UAB IT Solutions Success was fined €3,000 for violating Articles 5, 13, 24, 32 and 35 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The Lithuanian DPA (VDAI) launched an investigation into the Lithuanian Quarantine App ("Karantinas") in May 2020 after information in the media that there potentially was unlawful processing of personal data involved. This App was launched by the National Center for Public Health (Nacionaliniam visuomenės sveikatos centrui) and developed by UAB IT Solutions Success (UAB „IT sprendimai sėkmei“).
The App was suspended after preliminary findings which triggered the investigation process. The DPA ordered UAB IT Solutions Success to suspend the processing of personal data. However, UAB IT deleted this data instead.
In the investigation, the DPA found that the personal data of 677 individuals were collected in April 2020. This generally included personal data such as identification number, latitude and longitude coordinates, country, city, municipality, postal code, street name, house number, name, surname, personal code, telephone number, address, 2nd address, whether the place of residence is declared in Lithuania and other information. The processing was conducted in Lithuania, other EU/EEA States, as well as third countries (non-EU such as India and the US).
Dispute[edit | edit source]
Was the Lithuanian Quarantine App in violation of the GDPR?
Holding[edit | edit source]
The Lithuanian DPA first established that the National Center for Public Health (Nacionaliniam visuomenės sveikatos centrui) and the Company responsible for developing the App, UAB IT Solutions Success (UAB „IT sprendimai sėkmei“), were joint controllers.
The DPA discovered from its investigation that a Data Protection Impact Assessment had to be done prior to processing in line with Article 35 GDPR. The App concerned processed personal data using new technology as well as a systematic monitoring of data subjects in self-isolation. The App also aimed to process large datasets (data subjects throughout Lithuania and abroad). The processing was intended to be continuous and vulnerable data subjects were concerned.
The DPA found that the National Center for Public Health violated Article 24 and 32 GDPR on the implementation of organisational measures, as well as the principle of integrity and confidentiality found in Article 5(1)(f) GDPR.
The DPA found that both the National Center for Public Health and UAB IT Solutions Success violated the principle of lawfulness Article 5(1)(a) GDPR as they failed to prove that they had a legal basis for processing. The principle of transparency was also infringed (Article 5(1)(a)) . Finally, as neither entities recognised that they were data controllers, the accountability principle was not met (violation of Article 5(2)).
In summary, the DPA found that the National Center for Public Health breached Articles 5, 13, 24, 32, 35 and 58 (2)(f) GDPR and imposed a fine of €12,000 on the public body. In turn, the DPA found that UAB IT Solutions Success violated Articles 5, 13, 24, 32 and 35 GDPR and imposed a fine of €3,000.
The fines reached this level as the National Center for Public Health and UAB IT Solutions Success processed personal data without a legal basis in an intentional way, systematically, without technical and organisational measures. The DPA also took into consideration that this concerned special categories of personal data. Finally, in addition, UAB IT Solutions Success did not comply with the DPA's request to suspend the processing and instead, deleted the personal data collected.
Comment[edit | edit source]
The DPA's decision can be appealed within 1 month from the date of the decision
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.