HOW HEALTH AND LOCATION DATA WERE HANDLED IN TIMES OF COVID-19

1. Current situation and the lawful processing of personal data

The European General Data Protection Regulation (GDPR) also permits the collection and processing of personal data without the express consent of the data subject. These exceptions can be applied in various scenarios in the crisis produced by the coronavirus. These exceptions are based on the public interest and/or the statutory obligations of the person responsible for data processing.

In this context, the Spanish Data Protection Agency (Agencia Española de Protección de Datos - AEPD) has issued a report dated 11 March 2020. This report analyses the legal grounds for the processing of personal data relating to the occurrence of the disease in companies, and the AEPD considers the following points to be of fundamental importance:

  • Lawfulness of the processing justified by a legitimate interest of the controller - without the explicit consent of the data subject - on grounds of public interest (Art. 6.1.e GDPR) and to protect vital interests of the data subject or another natural person (6.1.d). In the current situation, this last point is especially interesting, as it is not only the interest of the data subject that is taken into account, but also the interests of third parties.

Moreover, data processing may also be presumed by sectoral laws, thus eliminating the need to obtain explicit consent.

  • Another important area in relation to the current situation is the processing of health data, which is legitimised by the exceptions laid down in Article 9:
    • Carrying out obligations in the field of labour law and social security protection (9.2.b)
    • Protection of vital interests of the data subject or other natural persons where the data subject is physically or legally incapable of giving his/her consent (9.2.c)
    • Public interest relating to public health (9.2.i)
    • Reasons of substantial public interest (9.2.g)
    • Preventive health care or occupational medicine; including assessment of fitness for work, medical diagnosis, etc. (9.2.h)

Notwithstanding the previous exceptions, the AEPD report concludes that even in times of crisis, the rights and guarantees of each individual with regard to the processing of personal data must be given, in particular the principles of the GDPR under Article 5.

2. Collection and processing of location data

Another aspect not yet considered in the present report is the latest developments concerning the collection of location data of citizens in order to be able to trace the chains of infection and, if necessary, warn contacts at an early stage in order to further contain the spread of the virus, but also possibly to monitor domestic quarantines and exit blocks.

This undertaking is not only being considered by the Spanish Government; it is also being considered by countries worldwide. However, these states are encountering several problems in the area of data protection, especially those states that are bound by the GDPR. Up to now, the various exemplary solutions have always presupposed the consent of the personal data subject, which is to be obtained with the activation of the app in order to legitimise the collection and processing of location data in accordance with Art. 6 GDPR. However, current legislation already provides for situations such as the present one, which makes the requirements more flexible, as long as a number of guarantees are fulfilled. In this context, the Spanish Data Protection Agency published a communication on 26/03/2020 in which the legal grounds for the processing of health and location data is described.

Another proposal includes the anonymisation of the personal data, which would, however, make it impossible to warn contact persons at a later date, and the data collected would therefore only have a statistical value.

Now the decision SND/297/2020, of 27 March, has been published, the purpose of which is to digitalize and speed up some of the administrative procedures in the health crisis. The development of a self-assessment app that only accesses location data to verify whether the person concerned is in his or her home province.

In addition, the decision also foresees that the location data of mobile phone users will be forwarded anonymously by the network operators to the National Statistics Institute so that it will be possible to analyse where the persons were before and during the alarm state.

At the moment, no final decision has yet been taken and no app or website of the Health Office has yet been published.

Last but not least a tip for our customers: in times of crisis there are unfortunately always people who want to take advantage of the special circumstances and therefore in the last few days there are more and more phishing attacks and e-mails with dangerous attachments. As soon as you suspect that a received e-mail might not have been sent by the actual sender, delete it or try to check its authenticity in another way before opening an attachment.

Contact person
Unai Mieza
PDF file
Download PDF