The AEPD has published a report on data processing activities in relation to COVID-19 pandemic

The RGPD allows the processing of personal health data without the consent of the data subject in situations of public interest in the field of public health and in compliance with legal obligations in the workplace arising from such situations

(Madrid, March 12, 2019). The Spanish Agency for Data Protection (AEPD) has published a report in which it analyses the processing of personal data in relation to the situation arising from the spread of the COVID-19 virus. The General Data Protection Regulation (RGPD) contains the necessary rules to legitimately allow processing of personal data in situations in which there is a general health emergency. Consequently, as stated in the report, data protection should not be used to hinder or limit the effectiveness of the measures taken by the authorities, especially health authorities, in the fight against the pandemic.

The report remarks that whereas 46 of  the RGPD explicitly recognizes  the mission carried out in the public interest (art. 6.1.e) or the vital interests of the data subject or other natural persons (art. 6.1.d) as the legal base for the legitimate processing of personal data in exceptional circumstances such as the control of epidemics and their spread, notwithstanding that there may be other bases such as, for example, the fulfilment of a legal obligation e.g. that of the employer in the prevention of occupational risks for their stuff. These legal bases allow data processing without the consent of the data subjects. Health data is classified in the GDPR as special categories of data, its processing being prohibited unless it can be covered by any of the exceptions contained in the Regulation. The report specifies the exceptions contained in art. 9.2. RGPD:

  • Compliance with obligations in the field of labour law and security and social protection (art. 9.2.b). The report recalls the obligation of employers and their staff in the prevention of occupational hazards, and that it is up to each worker to ensure their own safety and health at work and that of those who may be affected by their professional activity due to their acts and omissions at work. This means that staff must inform their employer in case of suspected contact with the virus, in order to safeguard, in addition to their own health, that of other workers in the workplace so that appropriate measures can be taken.
    The public interest in the field of public health (art. 9.2.i), which in this case is configured as an essential public interest (art. 9.2.g).
  • When necessary to carry out a medical diagnosis (art. 9.2.h).
  • When the processing is necessary to protect the vital interests of the data subject or of other persons, when the data subject is not capable of giving their consent. (art. 9.2.c).
  • On the other hand, the report refers to Organic Law 3/1986 on Special Measures in Public Health Matters (modified by Royal Decree-Law 6/2020, of March 10) or General Public Health Law 33/2011. The first of said provisions  remarks that “in order to control communicable diseases, the health authority, in addition to carrying out general preventive actions, may adopt the appropriate measures to control the sick persons, people who are or have been in contact with them and the immediate environment, as well as those deemed necessary in the event of a transmissible risk ”.

Regarding the risk of transmission of diseases, epidemics, health crises, etc., the applicable regulations have given the health authorities of the various Public Administrations the powers to adopt the necessary measures provided by law when required by urgent health reasons or necessity. From the point of view of personal data processing activities, the protection of the vital interests of natural persons corresponds in the field of health to the different health authorities from the different public administrations, who may adopt the necessary measures to safeguard people in health emergency situations.

Thus, it will be the health authorities of the different Public Administrations who shall take the necessary decisions, and the different parties responsible for the processing of personal data must follow these instructions, even when it involves the processing of personal health data.

In the same way, and in application of the provisions of the labour and occupational risk prevention regulations, employers may process, in accordance with said regulations and with the guarantees established by said regulations, the data necessary to guarantee the health of all its personnel and avoid contagions within the company and/or its work centres.

Finally, the report highlights that the processing of personal data, even in these situations of health emergency, must continue to be made in accordance with the regulations on the protection of personal data (RGPD and Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights), since these rules have foreseen this eventuality, for which its principles apply, and among them that of processing personal data in a legitimate, lawful and transparent manner with due respect to purpose limitation (in this case, safeguarding people's interests in this pandemic situation), and also the principles of accuracy, and data minimization. On the latter, an express reference is made to the fact that the data processed must be exclusively limited to that necessary for the intended purpose, without such processing being extended to other personal data not strictly necessary for said purpose.