Given the unprecedented national and international situation as a result of the coronavirus pandemic COVID-19, and with reference to a number of issues addressed in this period by public, private controllers, and concerned citizens in connection with the impact and consequences of processing personal data in these specific conditions, the Office of the Information and Data Protection Commissioner considers as reasonable providing for some guidelines, in a synthetized manner, seeking a fair and reasonable interpretation of the personal data protection legislation in the context of the measures implemented for the prevention and the eventual mitigation of the serious threats imposed by the spread of COVID-19 virus in Albania.
Each public and private controller in the Republic of Albania, shall, in the course of their activities, act in compliance with the provisions of the Law No. 9887, dated 10.03.2008 “On personal data protection”, as amended (hereinafter “Law on the protection of personal data” ) and the sublegal acts rendered by the Commissioner in implementation of the Law.
The situation created by the spread of COVID-19 virus does not represent a lawful reason to disregard the right of each citizen to the protection of their personal data and therefore to disregard their private life, which combined, constitute a category of individual rights ensured by the Constitution.
On the other hand, the Office of the Commissioner recalls that the personal data protection legislation does not hinder or restrict, in any case, the powers of law enforcements institutions and the rights and obligations of any other public and private controller regarding processing of personal data in the frame of the preventive measures, as well as restrictive to each citizen in the joint endeavour against COVID-19.
With reference to the above, and in the framework of the measures taken by the law enforcement institutions, as well as by any other public and private controller in the country to swiftly and effectively tackle urgent situations, the Commissioner’s Office recognizes the need for processing personal data such as, but not limited to, the name, address, workplace, travel details, recorded images, etc. The processing of such data must be made in compliance with Articles 5 and 6 of the Law on Personal data Protection.
In given context, the processing of data relating to the health of citizens is particularly important, even more so the processing of data relating to infections with COVID-19 and other diseases which, combined with COVID-19, may seriously threat the health and/or the life of citizens. This information represents sensitive data as set forth by Article 3/4 of the law on personal data protection and their processing is specifically regulated by Article 7 of this law, in accordance with Articles 5 and 6 therein.
The Office of the Commissioner considers that processing of personal data and especially those relating to the health of data subjects, is ultimately important for the protection of the health and the public interest in the current situation in our country. In these conditions, besides the collection and the storage of personal data, it seems reasonable the need for increased transmission and exchange of such data among controllers and law enforcement institutions in the frame of the measures taken against COVID-19.
Subsequently, all the controllers mentioned above may rely on the legal provisions for the processing of personal data regardless of the consent of data subjects as follows:
(i) For non-sensitive personal data, Article 6/1 litteras “c”, “ç” and “d” of the law on personal data protection; and
(ii) For the sensitive personal data Article 7/2 litteras “b”, “c”, “dh” and “ë” therein, in accordance with the provisions set out in littera (i).
In any given case, the Office of the Commissioner recalls the obligation of the controllers to process personal data in compliance with the principles of Article 5 of the law on personal data protection. Every controller is, amongst other things, required to process personal data only for the specified purpose (in this specific case, the measures against COVID-19), and must not exceed this purpose. Controllers shall not process more data than it is necessary to achieve the specific purpose.
Furthermore, the processing of personal data may proceed as far as the purpose of processing is valid, provided that there is a specific legal provision providing for longer processing period, i.e as far as it is necessary to tackle COVID-19 and redress its implications for the data subjects.
Accordingly, upon overcoming the COVID-19 pandemic, all controllers including law enforcement bodies are required to delete/destroy the personal data processed in that context.
In addition, every controller must adopt technical and organizational measures to ensure security and confidentiality of personal data processed in the context of the measures taken against COVID-19, pursuant to Articles 27 and 28 of the Law on Personal Data Protection.
The Office of the Commissioner calls on the understanding of the citizens vis-a-vis the necessity and importance of the processing of the personal data aimed at successfully addressing and avoiding the negative consequences produced by COVID-19 and reassures of its commitment to address any issue raised by the parties engaged in this collective human battle.
Accordingly, we invite you to address any such requests at the following email address: info@idp.al.