Ministry of Public Administration – Violation Found (Slovenia, 2021)

The ministry collected expressions of interest for vaccination against COVID-19 on the website https://e-uprava.gov.si/podrocja/sociala-zdravje-smrt/zdravje/vloga-cepljenje.html. The register then became a list for vaccination. Information under Article 13 GDPR were not provided. The DPA reminded that the use or aggregation with other databases or other forms of further processing of personal data of individuals who have already submitted or are about to submit an application for vaccination against COVID-19 through the eGovernment portal constitutes a breach of the GDPR. Controllers must restrict the processing of personal data of individuals who have already submitted an application through the eGovernment portal. Controllers must ensure fair and transparent processing of personal dat. All persons who have already submitted, or are about to submit, an expression of interest for COVID-19 vaccination on the e-government portal, shall receive in a concise, transparent, intelligible and easily accessible form and in plain and simple language, all the information referred to in Article 13(1) and (2) GDPR, including: *the identification of the controller(s), *the precise purpose and the legal basis of the processing, *the rights of individuals in this context.