The Agencia Española de Protección de Datos [Spanish Data Protection Agency] released on the 12th of March a report on data management and treatment according to the COVID-19 international pandemia. The GDPR, that contains the necessary rules to permit legitimately the treatment of personal data on sanitary emergency situations. As a consequence, the protection of data would not have to be an obstacle.
The GDPR enables the treatment of healthcare personal data without the consent of citizens in case of public interest situations concerning public health matters. As a consequence, data protection does not have to limit the effectiveness of the adopted measures by public authorities like the sanitary focused on facing the pandemia.
The report collects that th GDPR recognises that exceptional situations like epidemic, the juridical base of the treatments can be multiple, based so much at the public interest:
(46) The treatment of personal data also has to consider lawful when it is necessary to protect an essential interest for the life of the interested or the one of another physical person. Personal data only have to treat on the base of the vital interest of another physical person when the treatment can not base manifestly at a distinct juridical base. Some types of treatment can respond so much at important purposes of public interest and at the vital interests of towhom concern, for example when the treatment is necessary for humanitarian purposes included the spread control of epidemics, or at situations of humanitarian emergency, especially on natural catastrophes scenarios.
Therefore, as a juridical base for a lawful treatment of personal data, without the existence of other bases prejudices that can exist, -and for example the fulfillment of a legal debenture, art. 6.1.c (for the employer at the prevention of labour risks of his workers)-, the GDPR recognises explicitly two quotes: mission realised on behalf public interest (art. 6.1.e) or vital interests of the interested or other physical persons (art.- 6.1.d).
For healthcare data treatment is not enough a juridical base of the art. 6 GDPR, but according to the article 9.1 and 9.2 GDPR exist a circumstance that disables the ban for special categroy of data treatment such as healthcare issues. Consequently the epigraphs of the art. 9.2 GDPR:
The report referred to the Organic Law 3/1986 of Public Health Special Procedures (modified by the Royal Decree 6/2020, from March 10th) or the General Public Health Law 33/2011. The first points “focusing on control transmission illnesses, the healthcare authorities are able to command prevention measures and the specific measures to treat and heal the dyagnosed cases, or to treat dyagnosed cases relatives. Furthermore tey can adopt any other measures concernig the protection from transmission risks”.
Finally, the report excels that personal data treatments, have to be tracked in compliance with the GDPR and Organic Law 3/2018 and therefore to treat data with legality, loyalty and transparency, limited to the purpose (considering the present pandema, to protect sanitary right of the people), principle of accuracy and the principle of data minimisation. On this last point, references expresses that treated data will have to be exclusively limited to the purpose without the extension to other purposes.
Subscriu-te i rep cada mes novetats i notícies al teu emailEmail
Subscriu-te i rep cada mes novetats i notícies al teu email