TOURISM, DATA PROTECTION AND COVID-19 359 Moreover, the controller must provide data subjects with concise, transparent, intelligible and easily accessible information about the processing of their personal data25. In order to ensure a fair and transparent processing, automated decisions should take account of all the circumstances surrounding the data and not be based on merely decontextualised information or on data processed results. As regards to lawful processing, automated decision-making including profiling, which produces legal effects concerning a tourist or similarly significantly affects him is only permitted when: i. It is necessary for entering into, or performance of, a contract between the traveler and a data controller. It may be difficult to show that big data analytics in STD are strictly necessary for the performance of a contract, since the profiling goes beyond what is required to sell a product or deliver a service; ii. It is based on the tourist explicit consent. Data subjects should have enough relevant information on the envisaged use and risks of the processing to ensure that any consent they provide represents an informed choice; and iii. There is EU or national legislation permitting it, e.g. for monitoring and preventing fraud and tax-evasion, or to ensure the security and reliability of a service provided by the controller (recital 71). In this complex framework, we also need to consider the shortcomings of ePrivacy Directive. The European Commission presented a Proposal for a new e-Privacy Regulation26, on 10 January 201727. According to the Proposal, the New Regulation will have a relevant effect on geolocation related rules. In any case we should wait for the final agreement between the EU Institutions before an accurate analysis of the New Regulatory Ecosystem regarding e-Privacy. 25 Art. 12(1), and within the timescale set out in Art. 14(3) GDPR. 26 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/CE (Regulation on Privacy and Electronic Communications). 27 The Directive is currently in draft form, finalised, on 10 February 2021, by the Council of the European Union.
RkJQdWJsaXNoZXIy MTE4NzM5Nw==