Recommendations on personal data handling due to the implementation of biosafety protocols of COVID-19

On August 18th, the Superintendence of Industry and Commerce, issued certain recommendations which data controllers and data processors must follow when handling personal information collected due to COVID-19.

The External Circular 008 of 2020, the SIC emphasized the fact that despite the resolutions of the Ministry of Health, data protection rights are not suspended, and are valid and applicable during this time. Therefore, the SIC, requires data controllers and data processors to maintain awareness that when collecting personal data, they should at least follow the following aspects:

1. Do not use fraudulent means to obtain data.

2. Adequately inform the purposes of the data handling.

3. Only collect information that is necessary and adequate for the purposes.

4. Justify the need to collect information.

5. Only collect information required by the Ministry of Health to comply with biosafety protocols.

6. Obtain the authorization from the data subject, except when there is a legal exception.

The SIC also emphasized that data controllers and data processors must implement adequate security and confidentiality measures, and in the case of sensitive data they are required to grant enhanced accountability by applying stricter measures in the collection and handling of such data. Also, it is important to clarify that the data collected due to the implementation of biosafety protocols shall only be handled for such purposes and for a reasonable timeframe, after which the data must be deleted.

Finally, please note that if a new data base is created with such data, the obliged controller would have to register the new data bases in the National Data Base Registry.

Should you have any further queries or require assistance in implementing the abovementioned recommendations, please do not hesitate to contact us.

Author
María de Los Rios | [email protected] | Data Privacy and Protection