1. Legality of treatment
Once the principles to be observed in the treatment of personal data of a health nature have been established, we must analyse what the possible legal bases are, the legal justifications, in short, that make it possible for the treatment to be licit.
To this end, it will be necessary, in the first instance, to determine what the applicable legal bases are. Once these have been detected, and taking into account that we are in the presence of special categories of personal data (essentially data relating to the health of the data subject), we will have to analyse whether there are also any exceptions to the general prohibition on the processing of this type of data (article 9, paragraphs 1 and 2, RGPD). Only if both circumstances are present, we may process this type of personal data; otherwise, no.
If we look at article 6 RGPD we see that, in the context described, the processing carried out by health authorities and, in a purely labour context, by employers, may be covered by the following grounds for legitimacy:
In the first place, the consent of the data subject to the processing of his/her personal data [article 6.1.a) RGPD], consent that must be explicit in order to overcome the general prohibition of the processing of health data [article 9.2.a) RGPD]. According to article 4.11) RGPD, the consent consists of:
“[…] any free, specific, informed and unambiguous expression of will by which the data subject agrees, either by declaration or by clear affirmative action, to the processing of personal data concerning him/her.” In this way, of the possible modalities enabled by the regulations, only the declaration, and not the clear affirmative action, will be possible to understand validly given consent for the processing of special categories of personal data.
On 27 March, the Ministry of Health issued Order SND/297/2020, of 27 March, in which the Secretary of State for Digitalisation and Artificial Intelligence of the Ministry of Economic Affairs and Digital Transformation was entrusted with the development of various actions for the management of the health crisis caused by the COVID-19 , carrying out various actions aimed at contributing to improving the management of the crisis. Among these actions, this order provides for the development of technological solutions and mobile applications for data collection in order to improve the operational efficiency of health services, as well as better care and accessibility for citizens.
Specifically, it establishes the need to implement a computer application that will allow the user to perform a self-assessment, based on the medical symptoms reported, of the probability of being infected by the COVID-19, to offer him/her information about it and provide him/her with practical advice and recommendations to follow according to the assessment, in addition to enabling him/her to geolocate to verify that he/she is where he/she declares to be. These features will be voluntary, so that any interested party who wishes to submit to them must give their explicit consent. The person responsible for the processing will be the Ministry of Health and the person in charge of the processing will be the General Secretariat of Digital Administration (articles 28 RGPD and 33 LOPDGDD).
It also foresees the development of a conversational assistant/chatbot to be used through instant messaging applications and which will provide official information, requiring the consent of whoever raises the doubts or queries related to the health crisis. The Ministry of Health will be responsible for the processing and the Secretariat of State for Digitalisation and Artificial Intelligence will be responsible for the processing through the Subdirectorate General for Artificial Intelligence and Digital Enabling Technologies.
Secondly, when the employer is the data controller, the processing will be justified by the fulfilment of a legal obligation incumbent on him/her (article 6.1.c RGPD).
This legal imperative, embodied in the health and labour regulations and, in particular, in the prevention of occupational hazards (Law 31/1995, of 8 November, on the prevention of occupational hazards), will enable employers to process the data of staff that are necessary to guarantee their health and to adopt the necessary measures by the competent authorities, which also includes ensuring the right to health protection of the rest of the staff and avoiding contagion within the company and/or work centres that could spread the disease to the whole population.
In this way, the company will be able to know if the worker is infected or not in order to design, through its prevention service, the necessary contingency plans or those that have been foreseen by the health authorities.
Thirdly, and taking into account the progress of the disease in the data subject, the circumstance established in Article 6(1)(d) of the General Data Protection Regulation may also apply, which establishes the need for processing in order to protect the vital interests of the data subject or of another natural person, which, by extension, means that these natural persons may even be unidentified or identifiable; that is to say, in the words of the AEPD:
“This would justify, from the point of view of the processing of personal data, in the broadest possible way, the measures adopted to this end, even if they are aimed at protecting unnamed persons or in principle unidentified or identifiable persons, since the vital interests of these natural persons must be safeguarded, and this is recognised by the regulations on the protection of personal data”.
As established in Article 6.3 GPRS, the basis of processing for reasons of vital interest does not have to be established by Union law or the law of the Member States applicable to the data controller, since that paragraph refers exclusively to processing established and carried out for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of public authority, this circumstance not being included.
Fourthly and lastly, when the treatment is carried out by the Ministry of Health, the Health Departments of the Autonomous Communities or the health professionals who treat the patients or intervene in the control of the epidemic, in order to prevent the spread of the disease that has caused the health emergency, the reason for these treatment operations will be the legitimate interest pursued (Article 6.1.e) RGPD).
As we indicated at the beginning of this paragraph, in addition to the existence of a legitimate basis for Article 6 RGPD, one or more exceptional circumstances of those provided for in Article 9.2 RGPD are required for the planned processing operations to comply fully with the principle of lawfulness, fairness and transparency of Article 5.1.a) RGPD; otherwise, the prohibition laid down in the first paragraph of Article 9 RGPD, which provides for a general prohibition on the processing of special categories of personal data, will apply.
This being the case, we can establish the following grounds for exception:
Firstly, the one foreseen in article 9.2.b) GPRS, which establishes the possibility of processing special categories of data when the processing
“is necessary for the performance of obligations and the exercise of specific rights of the controller or the data subject in the fields of employment law and social security and protection insofar as authorised by the Union law of the Member States or by a collective agreement under the law of the Member States which provides adequate safeguards for the respect of fundamental rights and the interests of the data subject.”
In this exception, as the AEPD itself points out in its recent Report 0017/2020 :
“The employer is subject to the regulations on the prevention of occupational risks (Law 31/1995, of 8 November, on the prevention of occupational risks) from which it follows, in Article 14 and concordance with that law, a duty of the employer to protect workers from occupational risks, for which the employer must guarantee the safety and health of all workers in his service in work-related aspects.”
On the same basis, Article 29 of Law 31/1995, of 8 November, on the Prevention of Occupational Risks, which transposes Article 13 of Council Directive (89/391/EEC), of 12 June 1989, on the implementation of measures to encourage improvements in the safety and health of workers at work, also establishes obligations on workers with regard to risk prevention. Así́, it is the responsibility of each worker to ensure, according to his possibilities and by complying with the prevention measures adopted in each case, his own safety and health at work and that of other persons who may be affected by his professional activity, because of their acts and omissions at work, in accordance with their training and the employer’s instructions.
This means that they must immediately inform their direct supervisor and the workers designated to carry out protection and prevention activities or, where appropriate, the prevention service, of any situation which they consider, on reasonable grounds, to involve a risk to the safety and health of workers; contribute to the fulfilment of the obligations laid down by the competent authority to protect the safety and health of workers at work and cooperate with the employer to enable him to ensure that working conditions are safe and do not entail risks to the safety and health of workers.
In the context of the current situation arising from covid-19 this means that the worker must inform his employer in the event of suspected contact with the virus, in order to safeguard not only his own health but also that of the other workers in the workplace, so that appropriate measures can be taken. The employer must process such data in accordance with the RGPD, and the appropriate security measures and proactive responsibility required for processing must be adopted (art. 32 RGPD)”.
Similarly, that established in article 9.2.c) RGPD, which is directly related to the cause of article 6.1.d) RGPD:
“the processing is necessary to protect the vital interests of the data subject or of another natural person, in the event that the data subject is physically or legally incapable of giving consent”.
This will be the case, for example, where the data is processed after the patient has been admitted to an intensive care unit or equivalent area of the healthcare facility, allowing staff to communicate the admission and/or the progress of the patient to relatives or persons who have had contact with the individual admitted.
And, finally, those included in letters g), h) and i) of article 9 RGPD, which establish the need for the treatment when it is, respectively, necessary:
“‘on grounds of an essential public interest based on Union or Member State law, which must be proportionate to the aim pursued, respecting in substance the right to data protection and providing for appropriate and specific measures to protect the interests and fundamental rights of the data subject’.
“for the purposes of preventive or occupational medicine, assessment of the worker’s fitness for work, medical diagnosis, the provision of care or treatment of a health or social nature or the management of health and social care systems and services on the basis of Union or Member States’ law or pursuant to a contract with a health professional and subject to the conditions and guarantees referred to in paragraph 3”.
“for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or to ensure high standards of quality and safety of health care and medicinal products or medical devices, on the basis of Union or Member States’ law providing for appropriate and specific measures to protect the rights and freedoms of the person concerned, including professional secrecy”.
These circumstances, as the Spanish supervisory authority indicates, may be examined jointly, inasmuch as both refer to a public interest, the first of which is described as ‘essential’ and the second of which refers to a public interest described ‘in the field of public health, such as protection against serious cross-border threats to health’, all on the basis of Union law or the law of the Member States laying down appropriate and specific measures to protect the rights and freedoms of the person concerned, in particular professional secrecy.
The sum of all these measures will allow the processing of personal data when these are essential for, among other things, taking cognisance of the status, positive or negative, in the self-diagnostic test through telephone assistance or the use of the application for mobile phones, as well as for transmitting this information to the staff providing the service of sending recommendations and notifications to the patient and following their progress.
1. Aba Catoira, A., “El estado de alarma en España”, Teoría y realidad constitucional, núm. 28, 2011, pp. 305-334.
2. Agencia Española de Protección de Datos, Informe del Gabinete Jurídico 0017/2020.
3. Atienza Macías, E., “Algunas consideraciones sobre la protección de datos en el tratamiento de muestras biológicas y datos de salud con finalidad de control antidopaje en el ámbito deportivo: El pasaporte biológico”, IUS ET SCIENTIA: Revista electrónica de Derecho y Ciencia, núm. 2, 2017, pp. 14-36
4. European Data Protection Board, Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak, 16 de marzo de 2020.
5. Hernández Corchete, J. A., “Transparencia en la información al interesado del tratamiento de sus datos personales y en el ejercicio de sus derechos”, Piñar Mañas, J. L. (Dir.), Reglamento general de protección de datos hacia un nuevo modelo europeo de privacidad, Madrid, Ed. Reus, 2016, pp. 205-226.
6. Marzo Potera, A., “La inoportuna doctrina de las autoridades europeas de protección de datos frente al Covid-19”, Hay Derecho, 18 de marzo de 2020.
7. Martínez Martínez, R., “A la muerte por protección de datos”, LOPD y Seguridad, 11 de marzo de 2020.
8. Minero Alejandre, G., “COVID-19 y protección de datos personales. Quo vadis?”, Blog Facultad de Derecho, 27 de marzo de 2020.
9. Muñoz Rodríguez, J., “Principios de protección de datos: licitud, lealtad, transparencia, minimización, exactitud, integridad y confidencialidad”, Economist & Jurist, núm. 217, 2018, pp. 18-23.
10. Piñar Mañas, J. L., “La protección de datos durante la crisis del coronavirus”, Consejo General de la Abogacía Española, 20 de marzo de 2020.
11. Puyol Montero, J., “Los principios del derecho a la protección de datos”, en PIÑAR MAÑAS, J. L. (Dir.), Reglamento general de protección de datos: hacia un nuevo modelo europeo de privacidad, Madrid, Ed. Reus, 2016, pp. 133-150.
12. Rodríguez Ayuso, J. F., Figuras y responsabilidades en el tratamiento de datos personales, Vallirana (Barcelona), Ed. Bosch Editor, 2019.
13. Rodríguez Ayuso, J. F., “Tratamiento de datos relativos a la salud del interesado en el ámbito de la sanidad pública”, Actualidad administrativa, núm. 10, 2019.