Countless people are currently being regularly tested for infection with the Corona virus Covid-19. The well-known Corona rapid tests are used for this purpose. In these tests, a swab is taken from the pharyngeal or nasal mucosa for evaluation. Once the result of the rapid test has been determined, the material containing the genetic data of the persons tested is mainly disposed of in the normal waste. But is this form of disposal of genetic material even compliant with the GDPR? DSGVO is the abbreviation for the General Data Protection Regulation.
Here you will learn everything important in a nutshell.
Corona rapid tests as data within the meaning of the GDPR
When performing a Corona rapid test, a swab must be taken from the mucosa. This is indisputably genetic data (recital 34 to the GDPR) in the form of a sample. According to Art. 9 of the GDPR, these data fall under the special category of personal data and require special protection.
Level of protection of the GDPR for the processing of genetic material
For GDPR-compliant processing, the respective level of protection required by the GDPR must be complied with. For this purpose, the GDPR makes provisions on the security of processing (Art. 32 GDPR).
Disposal of Corona rapid tests with genetic material as processing
The GDPR understands processing very broadly. According to Art. 4 No. 2 GDPR, the term includes operations such as collection, recording, organization, classification, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Accordingly, the disposal of a sample containing genetic data (Corona rapid test) falls under processing within the meaning of the GDPR.
Safety of the disposal of genetic material as processing
According to Art. 32 I GDPR, the requirements for the security of this processing are to be measured primarily against the state of the art. Accordingly, appropriate technical and organizational measures (TOMs) must be taken to protect the data. Among other things, measures such as pseudonymization, encryption and ensuring the confidentiality, integrity, availability and resilience of the systems and services for processing may be necessary.
In most cases, the disposal of Corona rapid tests takes place in the normal trash after evaluation. This is current practice in many companies and other institutions where employees are required to test on a regular basis. In the normal waste, the genetic data are not protected. According to the current state of the art, there are ways to dispose of this genetic data in such a way that it is rendered unrecognizable, e.g. by disposers of laboratory waste, which is also required under the GDPR.
Consent of the person concerned to disposal in normal waste?
The idea might arise whether the data subject cannot consent to processing with lower security (Art. 6 I 1 lit. a DSGVO).
Regardless of whether this was possible at one time, this procedure is not permitted under the Resolution of the Conference of the Independent Data Protection Authorities of the Federation and the Länder of November 24, 2021 no longer possible in Germany. Number 2 of the decision states that the "waiver of the technical and organizational measures to be provided by the controller or the lowering of the legally prescribed standard on the basis of consent" is not permissible. In addition, number 1 of the decision generally states that the technical and organizational measures pursuant to Article 32 GDPR are not at the disposal of the parties involved, as they are based on objective legal obligations.
Accordingly, the data subject cannot consent under the GDPR to the disposal of Corona rapid tests via normal waste.
Disposal via special disposal company DSGVO-compliant
For a DSGVO compliant disposal of these samples, therefore, normal garbage will never suffice. It is necessary to commission a special disposal company to dispose of them in accordance with the GDPR.
It should be noted here that it is then a Job processing (Art.28 DSGVO). A corresponding contract for commissioned processing must be concluded with the special disposer. In addition, the special disposer must be able to prove that it can comply with appropriate protection and destruction levels for the data to be disposed of.
The current mass practice of disposing of Corona rapid tests in normal waste cannot be reconciled with the GDPR. Data protection violations are taking place by the millions. Special disposal would have to take place for DSGVO-compliant disposal. The most pragmatic solution here would be to hire a special disposal company as a processor.
Avoid costly data breaches by engaging us for a data protection consultation or audit.