The AEPD publishes a report on data processing in relation to COVID-19
- As stated in the report, data protection should not be used to hinder or limit the effectiveness of measures taken by the authorities, especially health authorities, in the fight against the pandemic.
- The report states that the RGPD explicitly recognises in its Recital 46 as a legal basis for the lawful processing of personal data in exceptional cases, such as the control of epidemics and their spread, the mission carried out in the public interest (Art. 6.1.e) or the vital interests of the data subject or other natural persons (Art. 6.1.d), without prejudice to the existence of other bases such as, for example, the fulfilment of a legal obligation (for the employer in the prevention of occupational risks to his staff). These legal bases allow for the processing of data without the consent of the data subjects.
- The report refers to Organic Law 3/1986 on Special Measures in the Field of Public Health (amended by Royal Decree-Law 6/2020 of 10 March) or General Law 33/2011 on Public Health. The first of these regulations states that “in order to control communicable diseases, the health authority, in addition to carrying out general preventive actions, may adopt appropriate measures for the control of the sick, of persons who are or have been in contact with them and of the immediate environment, as well as those considered necessary in the case of risks of a communicable nature”.
- From the point of view of the processing of personal data, the protection of the vital interests of natural persons in the field of health is the responsibility of the various health authorities of the various public administrations, which may take the necessary measures to safeguard persons in health emergencies.
- The necessary decisions should be taken by the health authorities of the various PPPs, and the various controllers of personal data should follow these instructions, even when this involves the processing of personal health data.
- Employers may process, in accordance with such regulations and with the guarantees established by such rules, the data necessary to ensure the health of all their staff, and to avoid contagion within the company and/or workplaces.
- The processing of personal data, even in these health emergency situations, must continue to be treated in accordance with personal data protection regulations.
- Its principles apply, including the principle of treating personal data lawfully, faithfully and transparently, and limiting the purpose.
- The data processed must be limited exclusively to those necessary for the intended purpose, without extending such processing to other personal data not strictly necessary for that purpose.
Link, only available in Spanish: https://www.aepd.es/es/documento/2020-0017.pdf