Analysis of the Report published by the Spanish Data Protection Agency in view of the exceptional situation caused by the spread of COVID-19
In view of the exceptional situation caused by the expansion of COVID-19 and the state of alarm decreed by the Government, doubts arise among the companies responsible for the processing of personal data regarding the application of the RGPD in this situation and the power to process data relating to health, considered to be a particularly sensitive category by the regulations, without the need to obtain the express consent of the data subjects.
To deal with this uncertainty, the Spanish Data Protection Agency (AEPD) has published a report to resolve these issues, as well as a list answering the frequently asked questions sent to it by both companies and citizens.
The first point that the AEPD intends to clarify in the aforementioned report is that the RGPD is applied in its entirety, since in the very content of the regulatory text the possibility is foreseen of having to deal with health emergency situations of a general scope, without this implying that the total applicability of the rules on the protection of personal data may represent an obstacle to the measures adopted by the competent authorities, above all the health authorities.
In this sense, Recital 46 gives legitimacy to the processing of personal data in emergency situations such as ‘the control of epidemics and their spread’, to processing operations carried out in the public interest and in the vital interests of the data subject and third parties.
As far as the processing of health-related data is concerned, which are the ones that are particularly relevant in the present situation, they are classified as special category by Article 9 RGPD and their processing is in principle prohibited unless one of the exceptions provided for in paragraph 2 of that Article is met.
In the current scenario, there are up to five exceptions that allow the processing of data relating to health and that do not require the consent of the data subject, such as the fulfilment of obligations in the field of labour law, since as the employer is subject to the Law on the Prevention of Occupational Risks, he must take all measures within his power to guarantee the health and safety of employees in the scope of their work; ensure the public interest, both in an essential sense of the concept and in the field of public health; where it is necessary for a medical diagnosis for preventive or occupational medicine purposes; and as mentioned above, where it is necessary to protect the vital interests of the person concerned or of other persons.
From what has been stated in the previous paragraph, it can therefore be concluded that, in order to safeguard the essential interests contained in the aforementioned exceptions, the persons responsible are empowered to take the appropriate corresponding measures involving the processing of personal data relating to health, without the need for the consent of the data subjects, and that they must comply with the provisions of the competent authorities, especially the health authorities.
Furthermore, such processing must always be carried out with the utmost respect for all the principles contained in Article 5 of the GPRS, with particular reference to the principle of minimisation of data, in the sense that data must be processed only for the purpose intended, without collecting more data than necessary and without using them for any other purpose.
By way of example, companies may deal with information on whether their workers are or may be infected with COVID-19 by asking the relevant questions without the need for the consent of the interested parties, such as symptoms, contact with infected or quarantined persons or recent visits to countries at risk, bearing in mind that any question that exceeds the information required to investigate a possible infection would be in breach of the principles of the RGPD.
Likewise, in the event of knowing of a case of contagion or possible contagion, it would be appropriate for the employer to communicate it to the rest of the personnel affected, maintaining the anonymity of the person affected whenever possible due to the circumstances, in compliance with the principle of minimization of Article 5 of the RGPD.
It can therefore be concluded that the AEPD communicates in its report that the situation of exceptionality experienced by the expansion of the COVID-19 does not affect the applicability of the regulations on data protection and that this allows those responsible for the processing to adopt the necessary measures to safeguard the vital interests of the individuals, the essential public interest in the field of health or the fulfilment of legal obligations in labour matters without the consent of the data subject, although always in accordance with the measures adopted by the competent authorities and complying with the principles relating to treatment contained in Article 5 of the RGPD.