The Spanish DPA (AEPD) has published a legal report (available in Spanish only) regarding the processing of personal data in Spain, including health-related data, within the context of the coronavirus (COVID-19) disease.
The press release published by the Spanish DPA is available at this link.
The report is available at this link.
The Spanish DPA highlights the following:
- Lawful basis for the processing of personal data. Recital 46 of the GDPR recognizes both the public interest (art. 6.1.e GDPR) and the vital interests of the data subject (art. 6.1.d GDPR). Regarding the latter, the Spanish DPA highlights that the protection of vital interests not only concerns the vital interest of the data subject himself/herself, but that the processing is also lawful if aimed at protecting the vital interests of other individuals.
Moreover, other lawful bases recognized in the GDPR may also allow for such processing, including the duty to comply with legal obligations, such as the duty of employers to comply with health and safety rules within the workplace.
All the above lawful bases allow the processing of personal data without the need for the data subject’s consent.
- Processing of health-related data. If the processing of personal data within the context of the coronavirus (COVID-19) disease requires a data controller to process health-related data, in its report the Spanish DPA points out that the data controller should be covered by one of the circumstances set out in article 9 GDPR (regarding special categories of personal data). This means that both conditions in sections 1) and 2) should be considered if health-related data is processed.
According to the Spanish DPA, the processing of health-related data is lawful:
- If necessary for the purposes of carrying out obligations in the field of employment and social security and social protection law (art. 9.2.b GDPR). In this context, the Spanish DPA’s report does not analyse the lawfulness (or not) of the adoption of specific proactive measures by the employer to protect health and safety at work, but it highlights the duty of the employee to inform the employer of his/her suspicions of having being in contact with the virus to ensure the health of other workers in the workplace.
- The report also considers the potential applicability to the processing of health-related data of other circumstances detailed in article 9 GDPR, such as when processing is necessary (i) to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (art. 9.2.c GDPR); (ii) for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (art. 9.2.i GDPR), which in this case is considered a substantial public interest (art. 9.2.g GDPR); or (iii) for a medical diagnosis (art. 9.2.h GDPR).
- The report sets out that the protection of vital interests has been assigned under Spanish law to the competent health authorities, so that these authorities are the ones entitled to adopt measures for such protection. Data controllers should follow any instructions given by such authorities, even if this involves processing the health-related data of individuals.
Finally, the report emphasizes that, even within the context of health emergencies, the processing of data should meet the requirements set out in data protection laws, including the lawfulness, fairness and transparency, accuracy, purpose-limitation and data-minimization principles.