Cyprus Mail

Coronavirus: Data commissioner green lights new SafePass rules


The latest expanded control measures taken relating to the coronavirus situation are both “legitimate and proportional”, the data protection commissioner said in a statement on Monday.

In a statement, Data Commissioner Irini Loizidou Nicolaidou weighed in on the requirement to display a so-called SafePass when frequenting accommodation and entertainment establishments – hotels, bars, restaurants.

The SafePass involves being immunised against the coronavirus, having had a negative rapid or PCR test valid for up to 72 hours, or paperwork showing that one has recovered from Covid-19 up to six months ago.

The commissioner sought to clarify a number of points raised in the health minister’s decree dated July 8, and which have caused confusion among the public.

She noted that, under previous decrees, employers had the right to check their employees’ documentation on a sampling basis. Now, employers must check that all employees possess a negative test (valid for up to 72 hours), or proof of recovery, or vaccination.

In previous decrees, owners/managers/operators of certain venues (accommodation, gyms etc) did not have the obligation to check customers’ coronavirus-related documentation. Now they do. In addition, they must also ask customers to show an ID or passport.

The only exemption to this applies to outside spaces of establishments where less than 20 people/customers are being served.

Addressing whether the latest decree violates data privacy laws, the commissioner said it does not. The reason, she explained, is that the new decree “creates additional obligations, due to the current epidemiological situation”.

Nicolaidou went on to cite the principle of proportionality, noting: “In this case, the current epidemiological situation mandates, and can justify, additional obligations.”

Because the latest measures are “more interventionist”, the commissioner observes, she had sought and ensured that “the current decree includes a legal basis enabling owners/managers/operators of a premises to check citizens’ certificate and their ID or passport.”

Coming back to the workplace situation, responsibility for checking covid-related documentation lies with the designated safety & health officers. Where a business is exempt from appointing such an officer, and there is no authorised private security officer to do the same, the employers themselves must conduct these checks.

Moreover, police may also conduct checks at places of work.

In the event an employee refuses to display documentation, the commissioner notes, “the employer must take steps to ensure that both he [the employer] and the employee comply with the current decree.”

On whether an employer may record data from a person’s documentation, Nicolaidou said this is allowed.

She explained that employers may record this information because they need to know which members of their staff are immunised and/or have recovered from Covid-19, so that these persons are exempt from the obligation to produce a 72-hour valid negative test.

Also, employers must be in a position to know the expiry of coronavirus tests. No copies of test results are admissible, only the originals.

Regarding accommodation venues and establishments, owners/managers/operators may not record information from customers’ documentation, nor their ID or passport number.

The sole exception pertains to special circumstances, like hotels where one needs to check whether a customer’s stay does not exceed the validity period of the Covid-related documentation, like the test.

The same arrangements apply for parties or receptions taking place at hotels or entertainment establishments.

On the European Union Digital Green Certificate – otherwise known as the European Union’s Digital Covid Certificate or EUDCC – the data commissioner clarifies that it can be used only for the purpose of travel, and not for the purposes of the current decree in Cyprus.

Where a member of the public does not hold the required documentation, he or she may not use the EUDCC as an alternative “because this does not constitute proof”.

However Nicolaidou does not altogether rule out possible future use of the EUDCC domestically.

She goes on to state that she is in consultations with the relevant ministries so that “should there arise the need to regulate the use of an EUDCC within the Republic, that this should be in accordance with the conditions set by the EU Regulation regarding the EUDCC.”

Concluding, Nicolaidou said that if the epidemiological situation improves and “the Commissioner determines that the provisions of a decree no longer comply with the General Data Protection Regulation, the Commissioner may ask for the temporary suspension of the provisions until the decree is amended or abolished.”


Related Posts

Batch of frozen chicken burgers found to contain salmonella

Gina Agapiou

Two types of USB hub withdrawn from the EU market

Andrea Charalambous

Trust between the two sides ‘at a low point’ UN official says

Elias Hazou

Ukraine pleads for air defence as Russia turns sights on Lysychansk (Update 1)

Reuters News Service

Soldier 23, critical after being injured during helicopter training

Gina Agapiou

Bi-communal musical dialogue for peace

Eleni Philippou