Guideline 04/2020 – Use of location data and contact tracing tools in the context of COVID-19 outbreak

Section 2.1  Sources of location data

9 There are two principal sources of location data available for modelling the spread of the virus and the overall effectiveness of confinement measures:

• location data collected by electronic communication service providers (such as mobile telecommunication operators) in the course of the provision of their service ; and

• location data collected by information society service providers’ applications whose functionality requires the use of such data (e.g., navigation, transportation services,etc.).

10 The EDPB recalls that location data collected from electronic communication providers may only be processed within the remits of articles 6 and 9 of the ePrivacy Directive. This means that these data can only be transmitted to authorities or other third parties if they have been anonymised by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users.

11 Regarding information, including location data, collected directly from the terminal equipment, art.5 (3) of the “ePrivacy” directive applies. Hence, the storing of information on the user’s device or gaining access to the information already stored is allowed only if (i) the user has given consent or (ii) the storage and/or access is strictly necessary for the information society service explicitly requested by the user.

12 Derogations to the rights and obligations provided for in the “ePrivacy” Directive are however possible pursuant to Art.1 5, when they constitute a necessary, appropriate and proportionate measure within a democratic society for certain objectives.

13 As for the re-use of location data collected by an information society service provider for modelling purposes (e.g., through the operating system or some previously installed application) additional conditions must be met. Indeed, when data have been collected in compliance with Art. 5 (3) of the ePrivacy Directive, they can only be further processed with the additional consent of the data subject or on the basis of a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Art. 23 (1) GDPR.