Data Protection 23. March 2020

Spain: Personal data protection implications that companies should be taken into account when adopting preventing measures against COVID-19

23. March 2020
act legal Spain

The measures aimed at ensuring a safer workplace and preventing the spread of the virus may increase personal data processing of employees and third persons outside the organization. The data fundamentally affected by these measures are concerning health.

In accordance with article 9.1 GDPR, health data are considered special categories of personal data and, as a general rule, their processing is prohibited, unless any of the exceptions set out in article 9.2 GDPR is applicable, in which case a test of proportionality, necessity and transparency must be performed.

In the present case, the processing of health data derived from COVID-19 of employees and third persons that are being processed by the companies is covered by the exceptions provided for in article 9.2 GDPR, that is the protection of vital interests, public interest and compliance with labour law obligations.

Below are the main points that companies should consider at this respect:

Contact information

As a result of teleworking measures, it may be necessary to use contact details and personal information of employees. Consideration should be given to whether there is a legitimate basis for the processing and employees should be informed about the purpose of the use of such personal information, duration of the processing and retention period.

Health data

Monitoring the coronavirus situation and complying with the obligations imposed on companies by the public authorities may involve excessive processing of health data concerning employees and third persons such as suppliers, visitors, among others.

There are two essential points:

  • These are health data, the processing of which is necessary for the protection of vital and public interests.
  • Such processing shall be limited to the specific purpose of protecting vital interests arising from the coronavirus. The information may not be used for other purposes, nor may previous health information be used for this purpose.


The employee has an obligation to disclose personal and health information and the company must modulate the confidentiality of such information and whether it is shared with other employees.


Throughout these days, HR departments are collecting numerous information from workers, such as travel plans, illnesses and others. Companies must assess how long this information is being retained and when highly confidential data should be destroyed.


There is a high chance that health information may be shared with other entities, such as health care providers. At this point, companies need to find a legitimate basis for communicating this information, how the information should be provided and with whom it is shared.

Transparency and duty of information

The need to inform employees and third persons of any processing of personal data resulting from the adoption of measures to prevent the spread of the virus and to ensure workplace health.