The new Slovak Act on certain emergency measures in relation to the spread of COVID-19 will authorize the Public Health Authority to collect, process, and store data from mobile phones of residents of the Slovak Republic, even without their consent. This measure means unprecedented interference into the personal privacy of people by the state but responds to an unprecedented situation.

In order to ensure that the processing of the personal data fulfills its purpose and, at the same time, cannot be misused by the authorities at a later stage, strict rules should apply to the processing of personal data. The Act itself specifies that the Public Health Authority will be able only to process basic identification data such as the user's first and last name, address, and telephone number, as well as information about where the user is located - so-called location data.

The purpose of personal data processing is:

(i) prevent and model the development of threats to life and health;

(ii) identify the recipients of notification messages about the special measures of the Public Health Authority for the purpose of life and health protection; and

(iii) the identification of Users for the purpose of life and health protection. 

In addition, according to the wording of the Act, personal data will be processed only until the end of this year. Consequently, all personal data collected in this way should be deleted, provided, of course, that the coronavirus pandemic is under control by then.

 Although the state wants to have access to the data of each mobile phone user, this does not mean that the Public Health Authority will necessarily have to process the personal data of all Slovak citizens. It is also possible to monitor the movement of people according to location data from phones based on anonymized data (i.e. data aggregated in a way that individuals cannot be re-identified).

Personal data protection regulations emphasize minimizing data processing, and therefore, if a specific purpose (in this case, tracking people for statistical purposes to prevent and model life and health threats) can be achieved without the processing of personal data, the provider is obliged to refrain from doing so.

In this context, however, it should be added that the European Data Protection Board (EDPB) said in its Statement on the processing of personal data in the context of the COVID-19 outbreak that when it is not possible to process only anonymous mobile location data, the member states should seek to introduce legislative measures to process non-anonymized location data to safeguard public security.

In the case of monitoring specific people to see whether they are complying with a quarantine, or to send SMS messages to persons infected with the virus, the personal identification and localization data of these persons will be processed. It is for this purpose that the new Act on certain emergency measures in relation to the spread of COVID-19 (mentioned above) and the general principles and rules for the protection of personal data will apply. According to these, the Public Health Authority is required to ensure that the processing of personal data takes place transparently, only for the specific necessary purpose, and within the necessary scope of material and time. 

The EDPB has conveyed that European data protection rules should not hinder measures taken in the fight against the coronavirus pandemic because it is in the interest of humanity to curb the spread of diseases including the use of available technologies. However, the EDPB underlined that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data, and any action taken by the member states in this context, it must respect general legal principles and must not be irreversible. 

If the state adheres to privacy and personal data protection rules, people will not have to worry that their personal data will be misused for purposes other than protecting public health in relation to the COVID-19 outbreak.