FCT – Fundação para a Ciência e Tecnologia.
Sede Av. D. Carlos I, 126, 1249-074 Lisboa, Portugal.
Tel: 213 924 300 Fax: 213 956 519
The purpose of the data processing in the application is to contribute to a faster and more effective tracing of the COVID-19 contagion chains in Portugal, in the context of the global plan to fight the pandemic defined by the Portuguese health authorities and in line with similar examples from other European Union member states.
The application is part of a computer system that will allow the user to be informed about his potential risk of contagion based on the monitoring of his close contacts in the last 14 days.
Participation and use of the app are voluntary allowing users to stop using it at any given time, based on their autonomous and unilateral decision.
The grounds for the lawful processing of data in the mobile application is the public interest in the field of public health on the basis of Portuguese national law and Articles 6(1)(e) and 9(2)(i) of the GDPR.
By default, the personal data collected by the application never allows users or their devices to be directly identified. To protect their privacy only ephemeral and randomly generated alphanumeric identifiers are used, which are legally considered pseudo-anonymized data. To the extent that they report to individuals tested positive for Covid 19 or to those users alerted of exposure to a risk of contagion, we may consider those identifiers to refer to data concerning their health.
The application disseminates and receives these random identifiers from other devices that are nearby. The disseminated random identifiers (never received) may be shared publicly by the application on an official server located in the national territory. No identifiers are stored in the system for longer than 14 days.
As a result of processing the random identifiers, the user may receive an alert with information on the potential risk of contagion and the date of occurrence of the most recent close contact. This information is kept by the application until it is uninstalled.
The system is composed of two sub-systems:
Both servers are under the control of the Foundation for Science and Technology.
The application uses Bluetooth Low Energy (BLE) technology to disseminate and receive random identifiers from nearby devices. When within range of another device running the application, the application stores the following data:
In case a user is diagnosed with COVID-19 the following data is stored in the SLD:
The SPD server contains a list of the following data:
No international data transfers other than those involved in local storage of information on users’ own mobile devices are foreseen.
The European Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 – RGPD) guarantees users, as holders of personal data, in addition to the right to information, rights of access, rectification, modification or erasure and opposition to processing. However, given the impossibility for the controller to identify users, in this case Articles 15 to 20 of the Regulation concerning rights of access, rectification, modification or erasure, in accordance with Article 11(2) of the Regulation, will in principle not apply. The right to object will be easily exercised by uninstalling the application.
The data subject may exercise their rights as well as request any information regarding the processing of their personal data by writing to the data controller or the respective data protection officer at the following postal and email addresses:
STAYAWAY COVID email: email@example.com
DPO email: firstname.lastname@example.org
The RGPD also guarantees the data subject, in accordance with its Article 77, the right to lodge a complaint with a supervisory authority in the European Union. In Portugal, the competent supervisory authority is the CNPD (www.cnpd.pt ).
The user can at any time uninstall the application without any damage. The uninstallation will result in the deletion of all data processed by the application, including data stored on the system server.
The entire system will be discontinued when the end of the pandemic is declared in Portugal.
© 2020 INESC TEC