PRIVACY POLICY OF THE Radar COVID APPLICATION
Carefully read this privacy policy for users of the “Radar COVID” mobile application (or the “App”), in which you will find all the information on the data we use, how we use them and what control you have over them.
IMPORTANT NOTICE:
|
1. What is Radar COVID?
Radar COVID is an App for mobile devices that sends notifications of risk contacts related to the SARS-CoV-2 virus. Its OWNER is the General Secretariat of Digital Administration (hereinafter, SGAD in its Spanish initials), the governing body which reports to the Secretariat of State for Digitalisation and Artificial Intelligence of the Ministry of Economic Affairs and Digital Transformation.
Thanks to Radar COVID, users who have downloaded the App and accepted its use will receive a notification in the event that, in the fourteen days prior to the said notification, they have been exposed to an epidemiological contact (within two metres and for more than 15 minutes) with another (fully anonymous) user who has declared to the App that they have tested positive for COVID-19 (following certification by the health authorities). The App will inform them solely of the day (within the previous fourteen) on which the exposure to the contact occurred, but not the identity of the user they have been exposed to (information that is impossible to supply, given that the App doesn’t request, use or store its users’ personal data) or the identification of the latter’s device, nor the location or the time at which the exposure occurred.
Once a notification has been received, the App will provide the exposed user with information on the adoption of preventive measures and the provision of care to help to contain the spread of the virus.
The success of the App as a tool that contributes to the containment of the spread is directly linked to its users being aware, and acting accordingly, that, despite the fact that informing the App that they have tested positive for COVID-19 (following certification by the health authorities) is voluntary, not doing so and being a mere recipient of information from third-party users means that the App will lose its preventive usefulness, not only for other users but for the rest of the population in general. Its completely anonymous nature should definitely encourage people to act responsibly in this regard.
2. How does the App work?
Once you have downloaded the App, accepted the terms of use and the privacy policy and started using it, each day your mobile device will generate a random identifier known as a “temporary exposure key” 16 characters in size (16 bytes or 128 bits). This will create “Bluetooth ephemeral identifiers” that are exchanged with other nearby mobile phones that have also downloaded the Radar COVID App and enabled Bluetooth.
The “Bluetooth ephemeral identifiers” are random codes 16 characters in size (16 bytes or 128 bits) that are generated by your mobile phone every 10-20 minutes upon the basis of the daily “temporary exposure key”. These codes do not contain any personal information which can identify the mobile phone or its user. These “Bluetooth ephemeral identifiers” are transmitted by your mobile phone several times per second to nearby devices that are accessible through Bluetooth Low Energy (BLE), producing a random code exchange between devices so that they can be stored by nearby phones that have downloaded the App. Similarly, every five minutes your mobile phone will listen to the Bluetooth ephemeral identifiers that are transmitted by other mobile phones that contain the App and it will store them to determine whether you have been with another user infected by COVID-19 who has reported a positive case over the last fourteen days.
Your phone stores the temporary exposure keys you have generated over the last fourteen days. Remember that these keys are generated randomly and cannot identify your mobile phone or the USER.
If you have received a positive COVID-19 diagnosis, you can voluntarily enter the “single-use confirmation code” provided by your Public Health Service into the App and it will be validated on the SGAD’s server. At that moment the App will ask you to grant your consent to it sending the last fourteen temporary exposure keys stored on your phone to our server. Then, only if you grant it, they will be sent to the SGAD’s server and, after the correctness of the code is verified, they will be used to draw up a daily list of temporary exposure keys of people infected by COVID-19 that are downloaded from the server by all the Radar COVID apps that are in operation on a daily basis.
The information on these lists is used to enable you to check on your phone whether you have been in close contact (less than two metres and for more than 15 minutes) with people who have reported a COVID-19 infection, without any identification of the person, the location of the exposure or the mobile device or the provision of any personal data about you or the other person. In other words, the App regularly downloads the temporary exposure keys voluntarily shared by users diagnosed with COVID-19 via the server in order to compare them with the random codes registered on the previous days as a result of contacts with other users. If a match is found, the App executes an algorithm on the device which, depending on the duration and estimated distance of the contact and in accordance with the criteria established by the health authorities, evaluates the risk of exposure to the SARS-CoV-2 virus and, as appropriate, displays a notification informing the user of the contact risk and the date thereof and inviting them to self-isolate and contact the health authorities.
These keys sent to the server do not allow the direct identification of users and are required to guarantee the proper operation of the risk contact notification system.
3. Who are the data controllers responsible for the processing of your data as a “Radar COVID” user?
The data controllers of this App are the Ministry of Health and the Autonomous Communities. Similarly, the General Secretariat of Digital Administration acts as the data processor.
At a national level, the data controller responsible for the processing of your data as a “Radar COVID” user is:
- Name: Ministry of Health.
- Address: Paseo del Prado 18-20, 28014 Madrid
The Secretariat of State for Digitalisation and Artificial Intelligence, as the owner of the App and upon the basis of the commission received from the Ministry of Health, will perform the following processing operations:
- Generation of codes for the reporting of positive cases via the Radar COVID App.
- Receipt of the information sent by users when they report a positive case. This information includes:
- The daily exposure keys for up to a maximum of fourteen days. The exact number of keys reported will depend on the date of the onset of the symptoms or the date of the diagnosis reported via the App.
- The preference, or otherwise, for sending these daily exposure keys to the European interoperability node for contact tracing applications.
- Composition of an updated list of temporary exposure keys that are made available for downloading by Radar COVID Apps.
- In relation to the European contact interoperability node (EFGS).
- Daily receipt of the lists of temporary exposure keys generated by the national servers of the member States which, where appropriate, form part of the project.
- Daily submission to the EFGS node of a list of temporary exposure keys sent by Radar COVID users who have granted their express consent to the sharing of this information with the other member States which form part of the project.
The Autonomous Communities that also take part in the use of the App will also be data controllers, performing the following processing operations:
- Asking the Radar COVID server to generate codes for the confirmation of positive cases.
- Delivering these codes to people who are diagnosed as positive by PCR tests.
The data processor and the owner of the App is the General Secretariat of Digital Administration, in accordance with the Agreement reached by the Ministry of Economic Affairs and Digital Transformation (Secretariat of State for Digitalisation and Artificial Intelligence) and the Ministry of Health with regard to the “Radar COVID” App.
4. What data about you do we process?
The data handled by the App cannot directly identify the user or the device and are essential for the sole purpose of informing you that you have been exposed to a situation involving a risk of contagion by COVID-19 and to facilitate the potential adoption of preventive measures and the provision of care.
- On no account will USERS’ movements be tracked, thus excluding any form of geolocation.
- USERS’ IP addresses will not be stored or processed.
- Codes for the confirmation of positive cases will not be stored together with other personal data pertaining to users.
As part of the COVID-19 risk contact notification system, the following data of users who have tested positive for COVID-19 will be processed for the purposes specified below:
- The temporary exposure keys by means of which the user’s device has generated the random codes (Bluetooth ephemeral identifiers) sent to the devices with which the user has come into contact over the previous fourteen days. These keys are in no way related to the USER’s identity and are uploaded onto the server so that they can be downloaded by Radar COVID Apps in the possession of other users. With these keys, by means of the processing that takes place on the mobile phone in a decentralised manner, the USER can be informed of any risk of contagion due to having been in recent contact with a person who has been diagnosed with COVID-19, without the App being able to refer their identity or the place where the contact took place.
- A single-use 12-digit confirmation code supplied to the USER by the health authorities in the event of a positive COVID-19 test. This code must then be introduced into the App by the user in order to allow the voluntary uploading of the temporary exposure keys onto the server.
- The user’s consent, if applicable, for the submission of the temporary exposure keys to the European interoperability node for contact tracing applications.
- The exposure notification notice, for the purpose of collecting anonymous, aggregated statistics on the volume of notifications produced by the system through contact tracing. This data allows us to estimate how many users the Application has alerted of a potential risk of infection, without being able to trace their identity
All the information will be collected for purposes strictly of public interest in the field of public health and, in view of the health emergency situation, in order to protect and safeguard an essential interest for people’s lives, in the terms outlined in this privacy policy and in accordance with articles 6.1.a), 9.2.a), 6.1.c), 6.1.d), 6.1.e), 9.2.c), 9.2.h) and 9.2.i)
The applicable legislation is listed below:
- Regulation (EU) 2016/679 of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of the said data, by virtue of which Directive 95/46/EC is repealed (General Data Protection Regulation)
- Organic Law 3/2018 of 5th December on the Protection of Personal Data and the guarantee of digital rights.
- Organic Law 3/1986 of 14th April on Special Measures in Matters of Public Health.
- Law 33/2011 of 4th October on General Public Health.
- Law 14/1986 of 25th April on General Health.
- Royal Decree Law 21/2020 of 9th June on urgent prevention, containment and coordination measures to combat the health crisis caused by COVID-19.
- Agreement of 9th October 2020 reached by the Ministry of Economic Affairs and Digital Transformation (Secretariat of State for Digitalisation and Artificial Intelligence) and the Ministry of Health with regard to the “Radar COVID” App.
5. How do we obtain your data and where does it come from?
The COVID-19 positive confirmation code provided by the Public Health Service. This will allow the temporary exposure keys by means of which the user’s device has generated the random codes (Bluetooth ephemeral identifiers) sent to the devices with which the user has come into contact over the previous fourteen days to be uploaded onto the server. These keys are only uploaded onto the server with the USER’s express and unequivocal consent by virtue of having entered a COVID-19 positive confirmation code.
The exposure notification notice is provided by the application anonymously for the purpose of composing an aggregate statistic of the volume of users who have been notified.
6. What do we use your data for and why do we use it?
The collection, storage, modification, structuring and, where appropriate, erasure of the data generated will constitute processing operations performed by the Owner as the processor in order to guarantee the proper functioning of the App, maintain the service provision relationship with the User and oversee the management, administration, provision and improvement of the service.
The information and data collected via the App will be processed for purposes strictly of public interest in the field of public health, given the current health emergency situation caused by the COVID-19 pandemic and the need to control the spreading thereof, and to guarantee the vital interests of you and third parties, in accordance with current data protection regulations.
To this effect, we use your data to provide you with the “Radar COVID” service and to enable you to use its features in accordance with its terms of use. In accordance with the General Data Protection Regulation (GDPR) and any applicable domestic legislation, the SGAD will process all the data generated during use of the App for the following purposes:
- To provide you with information on contacts regarded as being at risk of exposure to COVID-19.
- To provide you with practical advice and recommendations on action to be taken in the event of situations involving quarantine or self-isolation.
- The data will always and only be used in an anonymised way for statistical and epidemiological purposes.
This processing will be performed via the risk contact notification feature that identifies risk situations due to having been in close contact with users of the App who are infected by COVID-19. You will thus be informed of the measures to be subsequently taken.
7. How long do we retain your data for?
The temporary exposure keys and Bluetooth ephemeral identifiers are stored on the device for a period of fourteen days, after which they are deleted.
Similarly, the temporary exposure keys that have been sent to the server by USERS with a positive COVID-19 diagnosis following the introduction of the confirmation code will also be deleted from the server after fourteen days.
In any event, as indicated above, neither the temporary exposure keys nor the Bluetooth ephemeral identifiers contain any personal data, nor do they allow identification of the users’ mobile phones.
The Exposure Notification Notice is added to the Daily Notifications Reported flag and is discarded for any other use.
8. Who has access to your data?
The data managed by the mobile App (daily temporary exposure keys and Bluetooth ephemeral identifiers) are stored on the user’s device solely for the purpose of making calculations and informing the USER of any risk of exposure to COVID-19.
Only in the event of the notification of a positive COVID-19 diagnosis, the temporary exposure keys generated on the device over the last fourteen days are uploaded onto the server to be sent to all the USERS of this system, once their express and unequivocal consent has been granted.
These keys are in no way related to the identities of the mobile devices or the personal data of the App’s USERS.
The reported exposure notification notices are used solely for the generation of aggregated and anonymised statistical data.
9. What are your rights and how can you control your data?
The current regulations grant you a series of rights with regard to the data and information about you that we process. These are, specifically, the rights of access, rectification, erasure, restriction and objection.
You can check the scope and full details of these rights on the Spanish Data Protection Agency website (AEPD) here.
Generally speaking, you can exercise all these rights at any time and free of charge. You can contact the Data Controllers (either the Ministry of Health or the Autonomous Community in which you reside) by electronic means. In the case of the Ministry of Health you can do so via this form or in person through the network of offices for assistance in registration matters by using this request template (version that can be edited or printed).
Similarly, you have the right to submit a claim to the Spanish Data Protection Agency at any time.
10. How do we protect your data?
The data controllers, as well as the SGAD as the data processor guarantee the security, secrecy and confidentiality of your data, correspondence and personal information and have adopted the strictest and most robust security measures and technical means to prevent their loss or misuse or access to them without your authorisation. The security measures implemented correspond to those envisaged in Annex II (Security Measures) of Royal Decree 3/2010 of 8th January, regulating the National Security Framework in the field of Electronic Administration.
Finally, we inform you that the storage and other activities for the processing of any non-personal data used will always take place within the European Union.
11. What do you have to take into account in particular when using “Radar COVID”?
You should take into account certain aspects related to the minimum age for use of the App, the quality of the data you provide us with and the uninstallation of the App from your mobile device.
- Minimum age of use: in order to use “Radar COVID” you must be over 18 years of age or receive the authorisation of your parents and/or legal guardians. Therefore, by signing up for the App, you guarantee to the Owner that you are of legal age or that you have received the above-mentioned authorisation.
- Quality of the data that you provide us with: the information that you provide us with during your use of the App’s services must always be real, truthful and updated.
- Uninstalling the App: generally speaking, you can uninstall the App from your device at any time. This process removes the history of codes received from other mobile phones for the close contact notification functions from your mobile phone.
12. Transfers of data to countries within the European Union
Radar COVID participates in the application integration platform of the European Union, in such a way that the positive keys will be shared with third countries of the EU and vice versa.
When a user’s device downloads the positive keys to analyse potential close contacts, it will also download the positive keys of third countries that form part of the European project. This will allow the identification of potential close contacts either if the user has visited any of these countries or if they have been in close contact with a visitor from these countries.
When the user enters a COVID-19 positive diagnosis confirmation code, their free, specific, informed and unequivocal consent will be requested for the sharing of their infected keys with third countries via the European interoperability platform, thus facilitating the digital tracing of potential close contacts. The sending of your infected keys to the network of European countries that form part of this project is completely voluntary.
No data transfers outside the European Union will be performed.
13. Cookie policy
We only use technical cookies that enable the user to browse and use the different options or services provided by the App, such as accessing parts with restricted access or using security elements while browsing.
I have read the PRIVACY POLICY OF THE “Radar COVID” APP.