On 13/5/2021 the Commissioner for Personal Data Protection (the “Commissioner”) published a set of Frequently Asked Questions and answers (FAQs) regarding the application of the provisions of Ministerial Decree No. 16 of 2021, issued on 8/5/2021, on measures to prevent the spread of COVID-19.
On 12/7/2021 the Commissioner published a new set of Frequently Asked Questions and answers (FAQs) regarding the application of the provisions of the latest Ministerial Decree No. 28 of 2021, issued on 8/7/2021, on measures to prevent the spread of COVID-19.
Circumstances regarding the pandemic have changed between the two Decrees, as a significant percentage of the population of Cyprus has been vaccinated with at least one dose of an approved COVID-19 vaccine (currently around 67%). However, at the same time, the more infectious Delta variant of SARS-COV-2 has become the dominant variant of the virus in Cyprus, like in most other countries of the world, and is currently keeping the pandemic active and on the rise.
While the government and a significant part of the Cypriot population agree that certain concessions are necessary and proportional to the public health threat posed by the virus at the same time another significant part is opposing this school of thought for their own reasons. Vaccination coverage on the island is slowing down as younger ages reject the vaccines as either potentially dangerous or unnecessary.
From March 2020, when the first cases of the virus were reported in Cyprus, to May 2021 when the vaccination program picked up the Cypriot government’s efforts focused mainly on keeping the spread of the virus in the community under control. As part of this effort, certain concessions on the level of protection of human rights and civil liberties became the norm, with hard lockdowns and curfews imposed one after the other by means of a series of government Decrees issued by the Minister of Health.
After May 2021, however, the focus of government efforts shifted towards increasing vaccination coverage in the hope of bringing the pandemic to an end as soon as possible, without the need for further hard measures. These changes, however, have inevitably impacted different categories of rights, with the protection of personal data now being in the epicentre more than ever and the Commissioner for Personal Data Protection asserting its supervisory role in the legislative process.
The Safe Pass
In May 2021, by Ministerial Decree No. 16 of 2021, the government introduced the concept of the “Safe Pass” as a requirement for social gatherings at certain public places and social events which are considered “high risk” due to the concentration of several people at these places.
The Safe Pass is basically the legal requirement for all persons over the age of 12 to be in possession of one of the following:
- A COVID-19 negative PCR test or Rapid Test carried out within the last 72 hours,
- A COVID-19 Vaccination Certificate after at least 3 weeks from the administration of the 1st dose have passed,
- Evidence of being released, in the case of persons who fell ill with COVID-19 within the last 6 months from initially being diagnosed as positive.
With few exceptions, the latest Decree reflects and renews the provisions of the earlier Decree, including the Safe Pass requirement. A notable change is the abolishment of the 50% limit to the physical presence of employees at the workplace of private businesses which are not considered “essential”, with possession of a weekly negative PCR or rapid test or a certificate of vaccination with at least the first dose after 14 days or evidence of recovery from illness.
This new Decree replaced this limit by introducing a requirement for all employees, including self-employed individuals, to be in possession of a “Safe Pass” and a relevant proviso in the Decree to the extent that “the employers have an obligation to ensure the compliance of their employees with the provisions of this Regulation”.
Commissioner’s Guidance (The FAQs)
Under Regulation (EU) 2016/679 (GDPR), health data is considered “Special Category” data and, as such, strict conditions and requirements apply for the processing of such data under Article 9 of the GDPR. If and where such processing is allowed, it must be carried out in line with the principles relating to the Processing of Personal Data under Article 5 of the GDPR.
In her FAQs of 13/5/2021, the Commissioner stated that the employer does not have the right to ask for an original or a copy of a certificate for a Rapid Test or PCR Test or for covid 19 illness or for vaccination and the employee’s obligation was only to inform him that he/she have been tested and the result, in order for him to draw up the weekly program that he must follow, based on the relevant Decrees.
The Commissioner also stated that the certificate can be verified on a “sampling” basis by any one of the following:
(a) The Company’s Safety Officer, for the purposes of the Occupational Safety and Health Law 1996, Law 89 (I) / 1996, as amended.
(b) Inspectors of the Department of Labor Inspection, based on the legislation of the Department.
(c) Officers authorized under the Decree dated 08/05/2021 (Paragraph 2.7).
(d) Officials who have such authority under special legislation.
(e) Police officers.
As regards verification checks at other places where a Safe Pass is required under the earlier Decree, the Commissioner had also made it clear that only an authorised officer or a police officer can carry out such checks.
In her FAQs of 12/7/2021, however, the Commissioner followed an entirely different approach and line of legal reasoning, stating that “under the previous Decree, the employer had the right to check the certificates of its employees on a sample basis. Now, he has the obligation to check that, all employees hold a certificate for a Rapid Test or PCR within 72 hours or of recovery from covid 19 illness or of vaccination.
In previous Decrees, the owners / managers / administrators of certain places, such as leisure centers, restaurants, gyms, etc., were not obliged to check their customers’ certificates. Now, they have the obligation to check them and ask the customers to show their identity card or passport. Outside of this obligation, outdoor premises of premises, which serve less than 20 people, are excluded.”
The Commissioner also added that “In the event that an employee refuses to show the certificate he holds, the employer should take steps to ensure that both he and the employee comply with this Decree.”
In response to the question whether “the Decree dated 08.07.2021, in relation to the previous ones, violates the legislation for the protection of personal data”, the Commissioner’s answer is “No. What is different is that this Decree creates additional obligations due to the current epidemiological situation.”
The Commissioner also states that “in this case, the current epidemiological situation requires and can justify the additional obligations”. She also stated that the measures are lawful and proportional “…in relation to the current epidemiological situation. However, because they are more intrusive in relation to the measures of previous Decrees, the Commissioner, in the context of the legal consultation, demanded and ensured that, in this Decree, there is a legal basis for the owner / manager / administrator of the site to check the certificate I possess and my ID card or passport.”
Issues of Concern
No doubt the Commissioner has a critical role to play in the protection of personal data in the context of emergency measures introduced by the Cyprus government, particularly in ensuring that any such measures are lawful and proportional and in accordance with the GDPR.
To a certain extent, emergency government measures to deal with a pandemic (being of an extraordinary and temporary character) cannot possibly be expected to take into account every issue that may arise from their strict implementation and that inevitably some issues may arise. The nature and extent of these issues, however, is a matter which should be of concern to Cyprus as an EU member state when it comes to legal rights which are regulated uniformly on a European level, such as under the GDPR.
In my opinion, there are three important legal issues of concern arising from the application of the Safe Pass in Cyprus and the relevant Commissioner’s guidance issued to date.
- In her 13/5/2021 FAQs, the Commissioner stated that mere presentation of the certificate to an authorized officer or police officer in the context of a check, which does NOT require the recording or registration of any information in an electronic or printed archiving system, does NOT constitute processing of personal data.
The basis of this conclusion is not clear from the FAQs. Even if we assume that it is based on the definition of “processing” under Article 4(2) of the GDPR, which does not specifically include activities such as “display” or “presentation”, it does include “use” and “making available” in a context that, arguably, should be sufficiently wide to cover any such activities on the part of the controller.
A narrow interpretation would arguably defeat the purpose of the GDPR and negate the role of the Commissioner as the competent regulatory authority on this matter. If requiring and checking personal (including health related) information of a person does not constitute a “processing” activity under the GDPR, then arguably no privacy concerns would arise from Safe Pass checks since they would fall outside the scope of the GDPR.
In any case, the question is clearly not whether an individual (i.e. data subject) is processing information by presenting the Safe Pass certificate but whether the authorized officer or police officer (i.e. the controller) is processing the individual’s information by checking it (and the individual’s identity card to verify its validity).
- It is reasonable to assume that, in justifying the admittedly “intrusive” measures introduced by the latest Decree in her FAQ’s of 12/7/2021, the Commissioner relied on Article 9(i) of the GDPR, which allows the processing of health-related data where “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;”
It is simply not enough to rely on general references and assumptions to justify a processing activity relevant to health-related data under article 9 of the GDPR based on public interest grounds. As the UK Information Commissioner’s Office has stressed on its website, given the inherent risks of special category data, it is not enough to make a vague or generic public interest argument – you should be able to make specific arguments about the concrete wider benefits of your processing.
Unfortunately, the Commissioner’s FAQs do not elaborate on exactly how, in the Commissioner’s opinion, the epidemiological situation justifies these obligations being imposed on employers. Moreover, it does not elaborate on exactly why a departure from the Commissioner’s own previous guidance on a matter of principle under the GDPR is necessary.
Although it can be assumed that the epidemiological picture is public knowledge and, as such, should not require further elaboration, this does not appear to be enough for the purposes of the GDPR.
It is also not clear whether and to what extent the GDPR requirement for “suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”, are ensured by the relevant Decree which constitutes the legal basis for the processing of personal data in the case of the Safe Pass in Cyprus.
- The Commissioner suggested that the employer should take steps to ensure that both he (the employer) and the employee comply with the Decree but did not clarify or suggest what steps may be taken in this respect.
As an emergency measure, the strict application of the Safe Pass in the context of employment relations without the backup of relevant legislation in this area is likely to cause issues of concern where employees refuse to show the relevant certificate to their employers.
Although organised representative bodies, such as the Cyprus Employers and Industrialists Federation, have recognised this and attempted to provide some guidance on what steps an employer can take to ensure that the employees comply with the Decree. Taking into account the current circumstances and the wider lack of legislative guidance in this area, this is a measure that could lead to a surge in constructive and /or unfair dismissal cases before Cyprus courts.