This judgment concerns the interpretation of the EU General Data Protection Regulation (GDPR) regarding the processing of personal data when issuing COVID-19 immunity certificates.The key points of the judgment are:1. The exception to the controller’s obligation to provide information to data subjects (under Article 14(5)(c) GDPR) applies to all personal data not collected directly from the data subject, including both data obtained from other sources and data generated by the controller itself.2. When handling complaints, data protection authorities can verify whether national laws provide appropriate measures to protect data subjects’ interests when applying this exception. The verification should ensure the law guarantees at least equivalent protection to what Article 14 GDPR would provide.3. However, when verifying compliance with Article 14(5)(c), authorities do not need to check the technical security measures required under Article 32 GDPR, as these are separate obligations.The judgment is particularly relevant for public authorities processing personal data for COVID-19 certificates and similar documents, clarifying their obligations regarding information provision and data subject rights.
Leave a comment
