Data management and treatment according to COVID-19 pandemia

The Agencia Española de Protección de Datos [Spanish Data Protection Agency] released on the 12th of March a report on data management and treatment according to the COVID-19 international pandemia. The GDPR, that contains the necessary rules to permit legitimately the treatment of personal data on sanitary emergency situations. As a consequence, the protection of data would not have to be an obstacle.

The GDPR enables the treatment of healthcare personal data without the consent of citizens in case of public interest situations concerning public health matters. As a consequence, data protection does not have to limit the effectiveness of the adopted measures by public authorities like the sanitary focused on facing the pandemia.
The report collects that th GDPR recognises that exceptional situations like epidemic, the juridical base of the treatments can be multiple, based so much at the public interest:

(46) The treatment of personal data also has to consider lawful when it is necessary to protect an essential interest for the life of the interested or the one of another physical person. Personal data only have to treat on the base of the vital interest of another physical person when the treatment can not base manifestly at a distinct juridical base. Some types of treatment can respond so much at important purposes of public interest and at the vital interests of towhom concern, for example when the treatment is necessary for humanitarian purposes included the spread control of epidemics, or at situations of humanitarian emergency, especially on natural catastrophes scenarios.

Therefore, as a juridical base for a lawful treatment of personal data, without the existence of other bases prejudices that can exist, -and for example the fulfillment of a legal debenture, art. 6.1.c (for the employer at the prevention of labour risks of his workers)-, the GDPR recognises explicitly two quotes: mission realised on behalf public interest (art. 6.1.e) or vital interests of the interested or other physical persons (art.- 6.1.d).

For healthcare data treatment is not enough a juridical base of the art. 6 GDPR, but according to the article 9.1 and 9.2 GDPR exist a circumstance that disables the ban for special categroy of data treatment such as healthcare issues. Consequently the epigraphs of the art. 9.2 GDPR:

• Letter b) the treatment is necessary to conform debentures and to exert the specific royalties of the manager of the treatment or of the interested, at the area of the labour law and of the security and the social protection, owed at that the contracting attached to the rule of labour risks prevention (Law 31/1995, of 8th November, of labour risks prevention).

• Letter g) referring to the essential public interests and where references of the public interest on the public health issues, likewise the protection of crossborder threats for health, on the base of the Law of the Union or of the States Members that establish suitable and specific procedures to protect the royalties and freedom of the interested in particular the professional’s secret.

• Letter h) when the treatment is needed to realise a medical diagnosys, of medical assistance provision or health and social care treatment.

• Letter c) in case of necessary treatment to protect vital interests of the citizens or of other physical persons, considering a hypothetical disability of the interested. It could give consent.

The report referred to the Organic Law 3/1986 of Public Health Special Procedures (modified by the Royal Decree 6/2020, from March 10th) or the General Public Health Law 33/2011. The first points “focusing on control transmission illnesses, the healthcare authorities are able to command prevention measures and the specific measures to treat and heal the dyagnosed cases, or to treat dyagnosed cases relatives. Furthermore tey can adopt any other measures concernig the protection from transmission risks”.

Finally, the report excels that personal data treatments, have to be tracked in compliance with the GDPR and Organic Law 3/2018 and therefore to treat data with legality, loyalty and transparency, limited to the purpose (considering the present pandema, to protect sanitary right of the people), principle of accuracy and the principle of data minimisation. On this last point, references expresses that treated data will have to be exclusively limited to the purpose without the extension to other purposes.