Start of main content

The AEPD establishes guidelines for the treatment of health data in relation to Covid-19

| COVID-19 / Publications | Privacy, IT & Digital Business

Regarding the current emergency caused by COVID-19, on 12 March 2020

In view of the current emergency situation caused by COVID-19, on March 12, 2020, the Spanish Data Protection Agency (AEPD) has issued an information note with the aim of establishing certain guidelines and recommendations for the processing of personal data in order to guarantee the health of the interested parties and avoid possible contagion. The key aspects are highlighted below:

Firstly, the AEPD considers that the processing of personal data for the purpose of safeguarding essential health interests (i.e. if a data subject has recently been in a quarantine area) is justified both by public interest considerations and by the protection of the vital interests of the data subject or other natural persons (Article 6.1(e) and (d) of the General Register of Data Protection (RGPD in Spanish)).

Likewise, for the processing of specially protected personal data (i.e. health data in relation to possible symptoms or health care) that may arise in the relations between employee and employer, the processing is considered necessary for the fulfilment of legal obligations and for the exercise of specific rights of the employer and his employees, in view of the labour, social security and occupational risk prevention regulations, which especially impose a duty of protection on the employer towards his employees. In this sense, companies may process data relating to infections and contagion, both of their employees and of visitors to their facilities or work centres, with the aim of designing and implementing the prevention and contingency plans they consider necessary.  To this end, the employer, as the person responsible for the processing, must apply the appropriate security measures in order to guarantee the security of the data collected, in accordance with its proactive responsibility.  

In particular, the AEPD indicates that there is the possibility of requesting, from both employees and visitors to the company's premises, information related to

(i) visits to countries with a high prevalence of the virus, within the incubation period of the disease (i.e. trips made in the last two weeks to particularly susceptible areas).

(ii) symptoms related to the disease (e.g. cough, fever and/or respiratory difficulties).

(iii) body temperature.

In any case, it is stressed that the treatment of these data must be in accordance with the principle of proportionality, without extensive health forms that are not directly related to the COVID-19. 

On the other hand, it should be mentioned that the AEPD considers that, despite the fact that employees are not obliged to inform their employer of the specific reason for their sick leave, this individual right may be ceded to the defence of the right to health protection of other workers and, in general, of the population. Consequently, it is considered possible to compel employees to inform if they have symptoms or have tested positive (themselves or their environment) in screening tests.

Finally, it should be underlined that the AEPD leaves full freedom to the persons responsible for the processing when deciding on the measures to be adopted, depending on the specific situation in which they find themselves, stressing the importance that all processing of personal data collected due to the emergency situation be in accordance with the principles of lawfulness, loyalty, transparency, minimisation and limitation of the processing, without giving rise to third parties (i.e. insurance companies or banks) being able to process the personal data for purposes other than those mentioned above.

You can see the complete AEPD informative note as well as the document with frequent questions issued by the Agency.

To download the full document follow this link

For more information please contact:

Isabel Martínez Moriel

End of main content