AEPD's notice on Coronavirus self-assessment apps and websites


(March 26, 2020). In the current health emergency situation arising from the extension of the COVID-19 coronavirus, initiatives are being developed that involve a high volume of personal data processing activities and, in particular, sensitive data such as health data.

This emergency situation cannot result in a suspension of the fundamental right to the protection of personal data. At the same time, however, data protection legislation cannot be used to impede or limit the effectiveness of measures taken by competent authorities, especially health authorities, in the fight against the epidemic, as the said legislation provides for solutions that make it possible to make the lawful use of personal data compatible with the necessary measures to effectively guarantee the common good. To this end, the Agency is working with the competent authorities by providing them with criteria to make both the use of personal data and the said measures  fully compatible.

The Agency has found that initiatives are being launched, both from the public and private spheres, that request that citizens to provide them with personal information, mainly related to their health, under the emergency our country lives. These initiatives have a broad spectrum, from local to global, and use apps or web pages.

In view of this situation, the Agency recalls the criteria that must be applied for the processing of personal data to be lawful.

The rationale for such processing activities is the need to attend to missions carried out in the public interest, as well as to guarantee the vital interests of the data subjects themselves or third parties.

The purposes for which data can be processed are only those related to the control of the epidemic, including those of providing information on the use of self-assessment apps carried out by public administrations or obtaining statistics with aggregated geolocation data to provide maps that report on areas of higher or lower risk.

The data that may be obtained and used must be those deemed to be proportional/necessary by the competent public authorities to fulfil those purposes.

This data may only be provided by those over the age of 16. In the case of processing data of under 16 years old children, the authorization of their parents or legal representatives would be required.

Such data may only be processed by the public authorities competent to act in accordance with the declaration of the state of alarm, i.e. the Ministry of Health and the Counsellors of Health of the Autonomous Communities, which may transfer data to each other, and to health professionals who treat patients or who are involved in the control of the epidemic.

Private entities collaborating with such authorities may only use the data in accordance with the instructions of the said authorities and, in no case, for purposes other than the authorized ones.

If citizens use applications or websites that are not owned by public authorities, but are offered by private entities or individuals, the legitimacy indicated above for data processing will not exist. In this sense, it is important to recommend that citizens be especially careful when informing who, what for and with what guarantees their personal data will be processed.

Regarding the possibility that all those citizens who have tested positive for the COVID-19 can be geolocated through their mobile phones numbers they have previously provided, so that their quarantine can be monitored, it is necessary to starting again from the broad powers that in exceptional situations, such as the present epidemic is undoubtedly, the health authorities have, taking into account, in addition, that one of the exceptional measures for managing the health crisis situation caused by the COVID-19 is to limit the freedom of movement of people.

Again, we are faced with an obligation imposed by the health authorities in order to prevent the spread of the covit 19 coronavirus, and which requires special control of those who have tested positive and who have been forced to remain at home in quarantine. It also allows knowing the areas with the highest number of affected people in order to adopt the appropriate measures.

However, the only data that, for the purposes of geolocation, should be provided to telecommunications operators, if applicable, would be the one corresponding to the mobile phone number to be geolocated, unless the Ministry of Health considered that it was essential to provide some other data for the purposes of monitoring the disease.

In any case, those who intend obtaining and process citizens' data must inform them in a clear, accessible and easily understandable way of all the aspects that have been described.