Question: We would like clarification regarding the disclosure of preschool children’s personal data to the Sanitary Inspectorate (Sanepid) for the purpose of placing children under quarantine after contact with an infected child at the kindergarten. A parent claims that the school management should not share such data. The data in question were transmitted in an encrypted file formatted as a spreadsheet, which we received from Sanepid.

Answer:
The educational institution is authorized to share children’s data for the purpose of placing them under quarantine, in connection with an ongoing epidemiological investigation. Importantly, the data were properly secured, which is an appropriate and required practice.

This action is justified under the public interest or public authority clause pursuant to Article 6(1)(e) of the GDPR. The purpose of such data processing is to prevent the spread of infectious diseases and to support sanitary services in conducting epidemiological tracing when an infected person has been present at the facility.

In other words, the aim of the kindergarten when disclosing children’s data is to protect the life and health of students, staff, and other individuals present on the premises, by taking preventive measures to eliminate the source of infection and cut off the transmission route of the contagious disease. It also facilitates the Sanitary Inspectorate’s ability to carry out an effective epidemiological investigation.

A parent may, in theory, object to such processing due to reasons related to their specific situation. However, in practice, such an objection will not be upheld, as the kindergarten has a clearly legitimate legal basis for processing the data, one that overrides the interests, rights, and freedoms of the data subject — namely, the broader goal of combating infectious diseases.