Given the emergency health situation derived from the spread of the Covid-19 virus, the Spanish Data Protection Agency has published a report on the processing of health data.

The General Data Protection Regulation allows the processing of personal health data in specific cases. Thus, the legislation indicates that the processing of personal data in exceptional situation, such as the control of epidemics and their spread, a mission carried out in the public interest or the vital interests of the interested party or other individuals, is lawful.

Consequently, in situations such as the one we are in, a general health emergency due to the Covid-19 pandemic, the processing of health data is allowed without requiring the consent of those affected.

The Agency declares that data protection should not be used to hinder or limit the effectiveness of the measures adopted by the authorities in the fight against the epidemic.

The processing of personal health data is allowed in the following cases:

  • In compliance with obligations in the field of labour law, social security and employment protection.

Workers should inform the company in case of suspected contact with the virus, in order to safeguard, in addition to their own health, that of other workers in the workplace so that appropriate measures can be taken.

  • In the public interest in the field of public health, which in this case is deemed an essential public interest.
  • When it is necessary to carry out a medical diagnosis.
  • When the processing is necessary to protect the vital interests of the interested party or of other persons, when the interested party is not capable of giving their consent.

In addition, based on sectorial public health regulations, it is established that "in order to control transmissible diseases, the health authority, in addition to carrying out general preventive actions, may adopt the appropriate measures for the control of patients, from people who are or have been in contact with them and the immediate environment, as well as those deemed necessary in the event of a transmissible risk ".

The companies responsible for data processing must follow the guidelines set out by the health authorities to protect the vital interests of natural persons.

In addition, companies must process the necessary data to guarantee the health of all their personnel and avoid infections in the workplace.

Finally, we indicate that the application of the data protection principles established in the General Data Protection Regulation and in Organic Law 3/2018, on the Protection of Personal Data and guarantee of digital rights, continues in force.

Our Department of New Technologies and Data Protection is at your disposal to clarify any question about the permitted data processes or the guarantees to be offered therein.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.