This post is also available in: Español

In the context of the global crisis caused by the COVID-19 pandemic, the processing of citizens’ health data has become a recurring issue of utmost importance.

This is the understanding of the Spanish Data Protection Agency (“AEPD” by its initials in Spanish), which, focusing this time on hiring processes, has just published a statement on the possibility of requesting information from candidates in a selection process as to whether they have had COVID-19 and developed antibodies as a requirement for access to employment.

The AEPD makes it clear that this type of practice breaches data protection regulations and reminds companies that information on whether a person has had coronavirus is health-related data and, under article 9 of the General Data Protection Regulation (“GDPR”), is subject to special protection. Therefore, companies are not allowed to process this data unless any of the exceptional circumstances in article 9.2 applies. The main reasons that led the AEPD to reach this conclusion are as follows:

No legal basis to legitimize the processing

The AEPD analyzed whether it would be possible to argue the existence of a legal basis that could legitimize the processing of such health data, with reference in particular to the consent of the data subject or the need to process the data for the performance of a contract.

First, it concluded that the candidate’s consent would not be freely given, as it would be conditioned by the desire or need to get a job. The legal basis consisting of the performance of a contract could also not be applicable, as the request for the data would go against the principle of data minimization in the GDPR, as it is not strictly necessary for the performance of an employment contract.

Impossibility of applying the exceptions provided

The AEPD then analyzed the possibility of applying any of the exceptions in article 9.2, although it concluded that they could not be applied.

As an example, it points out that consent, in addition to not being freely given, would also not be explicit, and that the request for information on a candidate’s status regarding immunity to COVID-19 goes beyond the company’s obligation to protect workers from occupational risks.

Unlawfulness of processing

Finally, the AEPD considers that the request for the health data indicated as a requirement for access to employment implies unequal treatment that cannot be objectively and reasonably justified, therefore breaching the principles in article 5 of the GDPR.

However, it is important to remember that processing health data may pose a risk to the privacy and the rights and freedoms of the data subjects and, therefore, requires the adoption of additional guarantees with regard to security and protection, not least on the processing of health data related to COVID-19.

Authors: Ana Sánchez and Jorge Monclús

This post is also available in: Español



67 artículos

Jorge Monclús


45 artículos