This post is also available in: Español

The growing number of coronavirus (COVID-19) cases in Spain has generated a series of queries—in addition to other issues and concerns—on how to handle the personal data of those affected by this situation, particularly the health data of infected persons and persons at risk of becoming infected

On March 12, after several European data protection authorities published their respective criteria, the Spanish Data Protection Agency (“AEPD”) published its legal report, analyzing how data controllers must act when collecting and processing data subjects’ health data. The AEPD also published a shorter document with questions and answers, which tries to resolve the main issues.

According to the AEPD, due to the current global health emergency—and national emergency announced a few days ago—data controllers must follow the instructions of the health authorities of the different public administrations. When following those instructions means processing health data, the AEPD considers that the General Data Protection Regulation (“GDPR”) would allow the processing of health data without the consent of the data subjects based on any of the following legal bases in article 6.1 GDPR:

  • carrying out a task of public interest;
  • protecting the vital interests of the data subject or of other individuals; and
  • meeting a legal obligation that, for the employer, would specifically be an obligation to guarantee employees’ health as established in the health and safety regulations. 

Given that the GDPR generally prohibits the processing of health data, the AEPD indicates that, together with one of the legal bases mentioned, it would be necessary for one of the following exceptions in article 9.2 GDPR to arise:

  • processing is necessary for meeting obligations in the field of employment, social security and social protection law;
  • processing is necessary for reasons of public interest in the area of public health;
  • processing is necessary for carrying out a medical diagnosis; or
  • processing is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent.

Lastly, the AEPD highlights that, even in these emergency health situations, personal data processing must be carried out in line with the principles established in the data protection regulations. In this context, the purpose limitation and the data minimization principles are particularly relevant, meaning that the processing must be limited to personal data strictly necessary to achieve the purpose of protecting the health of the data subject and of third parties at risk of becoming infected.

Authors: Sergi Gálvez y Jorge Monclús

This post is also available in: Español



43 artículos

Jorge Monclús


28 artículos

Asociado del Área de Propiedad Intelectual y Protección de Datos. Especialista en protección de datos y tecnologías disruptivas. Participa en el asesoramiento recurrente en materia de protección de datos y contratación tecnológica de compañías nacionales e internacionales, especialmente en la configuración jurídica de evaluaciones de impacto, transferencias internacionales de datos personales, contratos de encargo de tratamiento y en el asesoramiento durante violaciones de seguridad. Además de prestar asesoramiento continuado a clientes en los ámbitos mencionados, tiene experiencia en asesorar a empresas de diferentes sectores en la configuración legal de proyectos que implementan tecnologías disruptivas, tales como el Big Data, Internet of Things, artificial intelligence y smart robots.