1. General Terms
This privacy notice describes a purpose and functioning of “Stop COVID-19” application (hereinafter: Application), which data has been collecting and how are they processed within the Application, data subject rights and data security within the Application.
2. Data Controller
The Application is owned by the Ministry of Health of the Republic of Croatia (hereinafter: Ministry), Ksaver 200a, HR-10000 Zagreb, Republic of Croatia, tel: 00385 1 46 07 555.
According to the data protection regulations, the Ministry is a data controller and responsible for data processing within the Application on a national level, and a joint controller, along with other EU Member States which form the Joint Controllership, responsible for data processing within the Application with cross-border interoperability in the EU established via European Federation Gateway Service (EFGS).
3. Data Protection Officer
If a need occurs, you can contact the data protection officer of the Ministry via abovementioned address or by sending an e-mail to email@example.com.
4. Application Purpose
The Application purpose is notifying the Application user that his Application has been in an epidemiologically relevant contact with the Application of the person confirmed to be COVID-19 positive and to allow the person confirmed to be COVID-19 positive to anonymously notify other Application users about the possible infection by COVID-19 disease.
The Application is using completely new technologies and means of data processing, with an aim to enhance health protection and raising citizen awareness of an increased risk of infection by COVID-19 disease.
5. Legal Basis for Data Processing
Data are collected and processed through the Application on the basis of the necessity to perform a task of public interest (Article 6, paragraph 1 (e)) that is allowed for the purpose of public interest in the field of public health (Article 9, paragraph 2 (i)) and for the purposes health care (Article 9 (2) (h)) of the General Data Protection Regulation (EU GDPR), based on the decisions of the Government of the Republic of Croatia and the Minister of Health (Official Gazette, No. 125/2020), determined by the Act on the Protection of the Population from Infectious Diseases (Official Gazette, No. 79/2007, 113/2008, 43/2009, 130/2017, 114/2018 and 47/2020).
6. Application Usage
The Application installation and usage is voluntary. Users independently decide on downloading the Application to their mobile devices, how they will use it and when they will delete the Application from their mobile devices.
During the Application installation there is an explicit consent needed by the user for Application to use Bluetooth technology and Google/Apple “Exposure Notification” services. The user can refuse to activate Bluetooth and “Exposure Notification” services when turning on the Application or even independently turn on and off the usage of these services any time after the Application installation.
The user consent is needed otherwise the Application will not be able to access the exposure notification functionalities on user’s mobile device.
If the user activates these services usage, the Application via Bluetooth will:
- Collect random keys from mobile devices of other users in proximity defined by the epidemiological parameters (such as proximity, distance and duration of the contact, and the date of the contact), which also have the Application installed and activated,
- Disseminate random keys of a user’s mobile device to other users in proximity, which also have the Application installed and activated.
Random keys collected and disseminated are series of random numbers that are generating multiple times during one hour and they are not in any way enabling the identification of the Application user to other Application user. Random keys are stored on the user’s mobile device for a period of 14 days, after which they are deleted.
By installing the application with the activation of the cross-border data exchange setting, you will ensure that you receive notification of exposure in case of traveling abroad or interaction with users of other authorized COVID-19 mobile applications. Commission Implementing Decision (EU) 2020/1023 of 15 July 2020 defines Cross-border data exchange between national mobile contact tracing applications.
Random keys of users of other authorized European COVID-19 mobile applications who have shared infection information will be processed on your mobile device so that the mobile application can determine if you have been in close contact. Also, in the event of an infection, your random keys will be sent to an European Federation Gateway Service (EFGS) for the cross-border interoperability of national contact tracing and warning mobile applications and processed by authorized COVID-19 mobile applications from other European countries.
The Application will not be able to detect the contacts with other devices in proximity if the user has turned off (deactivated) the Google/Apple “Exposure Notification” services. The application is not collecting geolocation data in any moment, nor does it collect any other data that may reveal the user’s identity.
The Application user, only if he/she wishes to do so and only when he/she has been confirmed having COVID-19 disease, can send his/her random keys to the Application server so that they become available to other Application users so that their Applications can calculate exposure risks and notify users. In order for the user to be able to send his keys at all, he must first get a positive laboratory test and inform the competent healthcare professional, i.e. the user's family doctor that he/she has the Application, so that the healthcare professional or the family doctor can generate a one-time verification code via the Application's server. The day and duration of the proximity contact will be shared with server, without the possibility of revealing the identity.
The Application users who have been exposed to the infection, in the way that they have been in proximity contact with a COVID-19 positive person in accordance with defined epidemiological parameters, will receive a notification from the Application on the date of contact and recommendation on next steps. It is the sole responsibility of the Application user to send their random keys and thus allow their contacts to be notified anonymously by their Applications of possible exposure to COVID-19 disease.
The application is available on the following platforms: “Google Play Store” for Android devices and “App Store” for Apple devices. More information on Google/Apple services is available on:
- for Android devices: https://support.google.com/android/answer/9888358?hl=en
- for Apple devices under “Privacy” > “Health” > "COVID-19 Exposure Logging”. Please note that the exposure logging functionality is only available if iOS version 13.5 or higher is installed on your iPhone.
Note: Google requires that the "Use Location" option be enabled on Android devices in order to use Bluetooth functionality. However, this does not mean that it automatically enables tracking of the user's location. Moreover, the Application in no way monitors the user's location nor has the authority to record location data.
7. Application Security
The Application installation and usage does not require user registration nor request or record any personal data, including data such as name and surname, date of birth, mobile phone number or e-mail address of the user. The Application does not collect geolocation user data at any time.
Random keys, in the case of a confirmed infection with COVID-19 and only if the Application user so wishes, leave the user's mobile device, and it is not possible to connect them in any way with the identity of the user.
The data collected by the Application is forwarded for processing to the Google/Apple service “Exposure Notification” on the mobile device itself.
The Application server components communicate with the Application through encrypted and secure channels. The data on the server infrastructure is stored in a database that is implemented as a separate logical unit with enforces security policies of the highest standards.
8. Data Access
Only the competent healthcare professional, i.e. the user's family doctor, has the access to the one-time verification code, by which the user confirms a positive test for COVID-19 in the Application itself, in the moment that the Application server generates a verification code. After that, the healthcare professional or family doctor no longer has access to the code. All verification codes are stored in the backend server for 14 days, after which they are deleted.
Random keys shared by people diagnosed with COVID-19 are automatically downloaded daily by all users' Applications and forwarded for processing to the Google/Apple service “Exposure Notification” service on the mobile device itself
The user can turn off the use of Bluetooth and the Google / Apple Exposure Notification service in the mobile operating system at any time.
The user can remove the collected random keys of proximity contacts at any time through the settings of the mobile device operating system. The Ministry has no possibility to delete random keys from the user's mobile device, as well as from the mobile devices of other users with whom the user has exchanged random keys.
9. Data Transfer to Third Countries
The data processed within the Application are located on the user's mobile device, on the Application servers in the Republic of Croatia or another EU Member State. Data are not transferred to third countries.
10. Responsibilities of the Participating Member States as Joint Controllers for the Federation Gateway for Cross-Border Processing between National Contact Tracing and Warning Mobile Applications
10.1.1. Division of responsibilities
(1) The joint controllers shall process personal data through the federation gateway in accordance with the technical specifications stipulated by the eHealth Network.
(2) Each controller shall be responsible for the processing of personal data in the federation gateway in accordance with the General Data Protection Regulation and Directive 2002/58/EC.
(3) Each controller shall set up a contact point with a functional mailbox that will serve for the communication between the joint controllers and between the joint controllers and the processor.
(4) A temporary subgroup set up by the eHealth network in accordance with Article 5(4) of the Commission Implementing Decision (EU) 2020/1023 of 15 July 2020 shall be tasked to examine any issues arising from the interoperability of national contact tracing and warning mobile applications and from the joint controllership of related processing of personal data and to facilitate coordinated instructions to the Commission as a processor. Amongst other issues, the controllers may, in the framework of the temporary subgroup, work towards a common approach on the retention of data in their national backend servers, taking into account the retention period set forth in the federation gateway.
(5) Instructions to the processor shall be sent by any of the joint controllers’ contact point, in agreement with the other joint controllers in the subgroup referred to above.
(6) Only persons authorised by the designated national authorities or official bodies may access personal data of users exchanged in the federation gateway.
(7) Each designated national authority or official body shall cease to be joint controller from the date of withdrawal of its participation in the federation gateway. It shall however remain responsible for processing in the federation gateway that occurred prior to its withdrawal.
10.1.2. Responsibilities and roles for handling requests of and informing data subjects
(1) Each controller shall provide the users of its national contact tracing and warning mobile application (“the data subjects”) with information about the processing of their personal data in the federation gateway for the purposes of cross-border interoperability of the national contact tracing and warning mobile applications, in accordance with Articles 13 and 14 of the General Data Protection Regulation.
(2) Each controller shall act as the contact point for the users of its national contact tracing and warning mobile application and shall handle the requests relating to the exercise of the rights of data subjects in accordance with the General Data Protection Regulation, submitted by those users or their representatives. Each controller shall designate a specific contact point dedicated to requests received from data subjects. If a joint controller receives a request from a data subject, which does not fall under its responsibility, it shall promptly forward it to the responsible joint controller. If requested, the joint controllers shall assist each other in handling data subjects’ requests and shall reply to each other without undue delay and at the latest within 15 days from receiving a request for assistance.
(3) Each controller shall make available to the data subjects the content of Section 10 including the arrangements laid down in points 1 and 2.
10.2. Management of security incidents, including personal data breaches
(1) The joint controllers shall assist each other in the identification and handling of any security incidents, including personal data breaches, linked to the processing in the federation gateway.
(2) In particular, the joint controllers shall notify each other of the following:
a) any potential or actual risks to the availability, confidentiality and/or integrity of the personal data undergoing processing in the federation gateway;
b) any security incidents that are linked to the processing operation in the federation gateway;
c) any personal data breach, the likely consequences of the personal data breach and the assessment of the risk to the rights and freedoms of natural persons, and any measures taken to address the personal data breach and mitigate the risk to the rights and freedoms of natural persons;
d) any breach of the technical and/or organisational safeguards of the processing operation in the federation gateway.
(3) The joint controllers shall communicate any personal data breaches with regard to the processing operation in the federation gateway to the Commission, to the competent supervisory authorities and, where required so, to data subjects, in accordance with Articles 33 and 34 of Regulation (EU) 2016/679 or following notification by the Commission.
10.3. Data Protection Impact Assessment
If a controller, in order to comply with its obligations specified in Articles 35 and 36 of the General Data Protection Regulation needs information from another controller, it shall send a specific request to the functional mailbox referred to in Subsection 10.1(3) of Section 10.1. The latter shall use its best efforts to provide such information.
11. Data Subject Rights
As it is not necessary, nor is it intended for the needs of the Application, the Ministry is not obliged to collect additional data (Article 11, paragraph 2 of the EU General Data Protection Regulation (GDPR)), which allow the aforementioned data to be clearly assigned to the user or mobile device user.
Therefore, it is not possible to directly enforce data protection rights in accordance with Articles 15, 16, 17, 18, 20 and 21 of the EU General Data Protection Regulation (GDPR), as this would require additional user information that is not available.
Notwithstanding the above, users of the Application have
- the right to address the Data Protection Officer of the Ministry (Article 38 (4) of the EU General Data Protection Regulation (GDPR)) and
- the right to file a complaint to the competent data protection authority: Personal Data Protection Agency, Selska cesta 136, HR-10000 Zagreb, Republic of Croatia, e-mail firstname.lastname@example.org.
Last update: November 16, 2020