Start of main content

The SDPA rules on the treatment of health data related to COVID-19 in the offer and search for employment

| COVID-19 | Privacy, IT & Digital Business

Alerted by certain practices that are being carried out in the scope of hiring, the Spanish Data Protection Agency (SDPA) issued a statement on the processing of health data derived from the offer and search for employment on 18th June 2020. Find highlighted the key aspects below:

Firstly, it should be mentioned that the SDPA has found that, because of the health crisis caused by COVID-19, certain practices are being carried out consisting of requesting from job candidates certain information on overcoming the illness caused by the virus and, where appropriate, on whether antibodies have been developed, as a requirement for access to the job.

The SDPA emphasises that this type of practice in the field of employment contracts implies a breach of data protection regulations, insofar as there is no legal basis that sufficiently legitimises such processing of the candidates' health data. Thus, the SDPA has carried out an analysis of the possible legal bases that could be used:

Consent: In relation to the possibility of requesting the consent of the candidate for the processing of such health data, the SDPA recalls that, as interpreted by the European Data Protection Committee, consent should not be considered as freely given when there is no real or free choice, or consent cannot be refused or withdrawn without prejudice (i.e. withdrawal of the candidature). Therefore, it is considered that such processing of health data by the company, based on the consent of the candidate, would not be lawful.

Contract agreement: On this point, the SDPA argues that the processing of such health data of the candidate could not be covered either by the legal basis for the execution of a contract, since the request for such health data is neither necessary nor essential for the drawing up of the employment contract. Otherwise, excessive processing would be carried out, leading to a breach of the principle of minimisation laid down in the data protection regulations.

Obligations and rights of the company: Finally, the SDPA analyses whether the processing of these candidates' health data can be covered by the obligations and rights that the labour and risk prevention regulations impose on the employer. Thus, the SDPA considers that the request for this data would be excessive, insofar as it is: (i) the candidate is not yet an employee of the company; and (ii) because the health data collected from the candidate would not contribute significantly to the protection of the other employees.

In conclusion, the SDPA argues that the request to candidates for information on whether they have suffered from COVID-19 and, if so, on the development of antibodies, cannot be processed because there is no sufficient legal basis for doing so and, therefore, the purpose of the processing would not be legitimate.

Finally, it should be stressed that, in the event that the candidates themselves include, on a voluntary basis, such information in their curriculum vitae, the company receiving that curriculum must proceed to delete that information immediately, preventing it from being processed, which may even require the destruction of the curriculum itself, in order to guarantee compliance with data protection regulations.

We hope the information is useful and of your interest. At Andersen Tax & Legal we have created a multidisciplinary team to deal with all the questions that may arise in this area or in relation to the COVID-19 and all the firm's professionals are at your disposal.

You can consult the bulletin issued by the SDPA or you can download the full document here.

For more information please contact:

Isabel Martínez Moriel | Director in the area of Privacy, IT & Digital Business

End of main content