Spanish DPA lays down € 600K fine on GSMA for storing COVID-passports
The Agencia Española Protección Datos (AEPD) has imposed a € 600,000 fine on the GSMA, the body that organizes the Mobile World Congress (MWC) in Barcelona, because staff members were required to provide their COVID-19 vaccination status.
During the 2022 edition of the MWC, all employees, contract workers and suppliers were required to upload a corona passport or the negative result of a PCR test to prove they weren’t infected with the COVID-19 virus. Approximately 12,000 staff members uploaded their documents to a digital platform so they could carry out their work.
An employee wasn’t too thrilled about this and felt that the GSMA and the venue had no legal basis to ask for information on vaccination or health status. That’s why he filed a complaint with the AEPD.
The GSMA argued it did have both a legal and public interest in processing the health data: it could safeguard the public health and the safety of its personnel. The organization referred to a health plan that was specifically designed for the event, but was never submitted to the Spanish data protection authority (DPA).
Furthermore, the GSMA claimed that the COVID-passports were only kept during the event.
The Spanish data and privacy supervisor reviewed the case and identified three serious infringements in the data management of the GSMA.
First of all, collecting sensitive health information of its employees exceeded the organization’s legal requirements. It’s not up to the GSMA to determine what’s in the public interest, that’s for the legislator to decide. Also, the GSMA could have opted for less intrusive solutions, like providing protective clothing.
Secondly, the employees’ health data was stored for longer than necessary, which directly affects the privacy of the staff members. The data collection also created an “unbalanced situation” between parties, since employees were given no other choice than to share personal health information if they wanted to attend their job.
Lastly, employees weren’t sufficiently informed about the collecting and processing of their personal health data. That’s in violation of the General Data Protection Regulation (GDPR). The European privacy law dictates consumers have to be properly informed before they can consent to data collecting.
Because of the scope and severity of the privacy infringements, the AEPD decided to fine the GSMA with a € 600,000 penalty.
The GSMA has filed an appeal with the AEPD and Spanish Administrative Court. The MWC organizer claims only to have followed the plan that was developed by the health authorities.
Your email address will not be published. Required fields are marked