On March 12, 2020, the Spanish Supervisor Authority (“AEDP”) issued a statement and a report on data protection and COVID-19. The AEPD highlights that controllers processing personal data in the context of their effort to prevent COVID-19 must comply with the GDPR, the Spanish Data Protection Law and the Spanish sectorial health laws. However, the AEPD underlines that these laws do not stand in the way of addressing the challenges posed by the COVID-19 epidemic.

The guidance specifically addresses the following two data protections aspects:

  1. the legal basis for processing personal data; and
  2. the requirement to only process personal data that is adequate, relevant and limited to the processing purpose (data minimization).
  1. Legal basis

The AEPD reminds controllers that there are a number of legal bases under GDPR that allow them to process personal data in the context of the measures they take in reaction to COVID-19. However, since the processing involves special categories of data (i.e., health data), the AEPD highlights that the processing requires both a legal basis under Article 6 GDPR and a legal basis under Article 9 GDPR.

The AEPD indicates that controllers may rely on one of the following legal bases under Article 6 GDPR:

  • processing that is necessary for compliance with a legal obligation under EU or national law; (Article 6(1)(c) GDPR)
    • The AEPD gives the example of the employer’s obligation to prevent occupational hazards under Spanish labor law;
  • processing that is necessary in order to protect the vital interest of the data subjects or another natural person; (Article 6(1)(d) GDPR) and
    • The AEPD clarifies that the other “natural person” does not need to be an identified person, but can be an “identifiable person”.
    • The AEPD states that this legal basis should be interpreted “in the broadest possible way” to justify the “processing of personal data aimed at protecting all those persons likely to be infected in the spread of an epidemic”.
  • processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. (Article 6(1)(e) GDPR)

The AEPD indicates that controllers may rely on one of the following legal bases under Article 9 GDPR:

  • processing that is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law; (Article 9(2)(b) GDPR)
    • Employers have an obligation under Spanish Law 31/1995, of November 8, on the prevention of occupational hazards, to protect workers against occupational hazards and ensure the safety and health of all workers when performing their work-related tasks.
    • Employees have an obligation under Law 31/1995 to ensure the safety of the other employees at work and should report to their direct supervisor and the workers designated to carry out protective and preventive activities, or, where appropriate, the preventive services created for this purpose, “any situation which, in their opinion, could reasonably involve a risk to the safety and health of workers”. In particular, employees should inform their employers in case they suspect having had contact with the virus in order to safeguard their health, as well as that of their work colleagues.
    • The AEPD reminds employers that they should implement appropriate technical and organizational measures to protect the personal data they receive from their employees.
    • Employees must also “contribute to the fulfilment of the obligations laid down by the authority competent to protect the safety and health of workers in the workplace and cooperate with the employer so that the employer can ensure working conditions that are safe and do not pose a risk to safety and health of workers.”
  • processing that is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; (Article 9(2)(g) GDPR)
  • processing that is necessary for reasons of substantial public interest, on the basis of Union or Member State law; (Article 9(2)(g) GDPR)
  • processing that is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law; (Article 9(2)(h) GDPR) and
  • processing that is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law. (Article 9(2)(i) GDPR)

According to the Spanish Organic Law 3/1986, of April 14, it is the responsibility of the public health authorities of the different public administrations to take the necessary measures to safeguard the essential public interests in situations of public health emergency such as that COVID-19 epidemic. Controllers should comply with the instructions issued by these authorities. In particular, pursuant to those instructions, controllers may communicate the fact that a person was infected to persons with whom the infected individual had contact in order to:

  • protect both the infected individual and the controller from the possibility of infection (on the basis of Article 6(1)(d) GDPR) and
  • protect other persons with whom the infected person may have been in contact (on the basis of Article 6(1)(d) GDPR and Article 9(1)(g) GDPR or Article 9(1)(i) GDPR).

Employers have specific obligations under the Spanish labor law to ensure the safety and health of their employees and avoid the spreading of the disease within their company and/or work centers (on the basis of Articles 6(1)(c) and 9(2)(b) GDPR). 

  1. Data minimization

 The AEPD underlines that controllers may only process personal data that is adequate, relevant and limited to what is necessary to prevent the spreading of COVID-19. The AEPD mentions that recital 54 clearly states that:

“The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. (…) Such processing of health-related data for reasons of public interest should not result in third parties, such as employers, insurance companies or banks, processing personal data for other health-related purposes.” (emphasis added by the AEPD)

*******************************************************************************

The publication of the AEPD’s statement follows the publication of similar statements by other EEA regulators, including those of France, Denmark, Hungary, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Poland, Slovenia, Slovakia and the UK. Covington will continue to monitor developments in this area.