EU data protection

According to EU GDPR guidelines, Encounter's Data Controller is the University of Oulu <researchdata@oulu.fi>
and our Data Protection Officer: Niilo Vähäsarja <niilo.vahasarja@oulu.fi>

Any organization that processes, collects, uses, transmits, stores and analyzes personal data of people in the European Union must comply with the General Data Protection Regulation (GDPR). Here is how Encounter stands as of today regarding compliance with the GDPR [1] and other specific sectoral legislation regulating the use of location data or the use of cookies [2].

Encounter

Personal Data under the GDPR

1) Encounter does not collect any identified or identifiable living individual data. A random UUID is generated daily and used on the contact tracing. When deemed by health authorities to be at risk, a push message can be sent to this UUID, without revealing users' identity. There is no username, location, physical, physiological, genetic, mental, economic, cultural or social identity data in Encounter.

Personal data is any information that relates to an identified or identifiable living individual [3]. Different pieces of information (including username, location, physical, physiological, genetic, mental, economic, cultural or social identity), which collected together can lead to the identification of a particular person, also constitute personal data.

2) Given 1) this is not possible to do with Encounter contact tracing data. This anonymous data only leaves the phone if shared voluntarily by the user.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.

3) Given 2) and since every day and every time the user shares, deletes his Encounter data the assigned UUID is randomised, this renders the anonymisation irreversible.

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

4) Given 1-3 and the fact Encounter does not gather any of the data that could potentially identify an individual, makes Encounter fully GDPR compliant.

Below are some examples of personal data that are typically collected through a mobile application.

  • a name and surname;

  • a home address;

  • an email address such as name.surname@company.com;

  • an identification card number;

  • location data (for example the location data function on a mobile phone);

  • an Internet Protocol (IP) address;

  • a cookie ID;

  • the advertising identifier of your phone;

  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

[1] https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en; https://gdpr.eu

[2] ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (OJ L 201, 31.7.2002, p. 37) and Regulation (EC) No 2006/2004) of the European Parliament and of the Council of 27 October 2004 (OJ L 364, 9.12.2004, p. 1).

[3] Article 29 Working Party Opinion 4/2007 on the concept of personal data, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf