Up Again Spain: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

The Spanish Data Protection Commissioner (AEPD) has issued a formal report (17/2020) an explanatory FAQ and a press release on these matters.

In its original report and FAQ the AEPD had hinted that these checks could be based on article 9.2(a) GDPR (consent, both for visitors and employees), article 9.2(h) GDPR (occupational medicine and assessment of working capacity), or article 9.2(i) GDPR (public health reasons, for employees only).

However, in its more recent press release, the AEPD indicated a different position, where consent may not be generally seen as an acceptable legal basis for processing, because it would not be freely granted (either by employees or visitors).

Similarly, the AEPD has cast doubt on whether Spain has public health laws that are specific enough to make these checks lawful under articles 9.2(h) and 9.2(i) GDPR.

It is commonly understood in the Spanish market that the initial position of AEPD may be better founded, provided that data minimisation principles in article 5 GDPR are respected and exhaustive information is provided in advance to employees and visitors in accordance with articles 13 and 14 GDPR and, in particular, article 11 of Spanish Fundamental Law 3/2018 on Data Protection. 

Employees have the right for such checking to be carried out by experienced healthcare professionals and for the data collected to be only partially shared with the employer. Employees may refuse to be checked, but such refusal can be ignored if the work’s council issues a supporting report.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Similarly as for health checks, the Spanish Data Protection Commissioner (AEPD) has issued a formal report (17/2020), an explanatory FAQ and a press release on these matters.

In its original report and FAQ, the AEPD explicitly stated that completion of these questionnaires could be based, both for visitors and employees, on article 9.2(h) GDPR (occupational medicine and assessment of working capacity) or article 9.2(i) GDPR (public health reasons). In its more recent press release, however, the AEPD was more hesitant.

It is commonly understood in the Spanish market that the initial position of AEPD may be better founded, provided that data minimisation principles in article 5 GDPR are respected (not collecting information that is not strictly required to fight against the pandemic, and focusing strictly on true risk factors) and exhaustive information is provided in advance to employees and visitors in accordance with articles 13 and 14 GDPR and, in particular, Article 11 of Spanish Fundamental Law 3/2018 on Data Protection.

Data subjects would have the right for such information to be collected by experienced healthcare professionals, under strict confidentiality obligations.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Surprisingly, under Spanish Act on the Prevention of Risk at Workplace and the interpretation made on it by the AEPD, the employer cannot require employees to notify that they have tested positive for COVID-19, but the employer is obliged to report it. This interpretation has been confirmed explicitly by the Spanish Data Protection Commissioner. No such duty is in place for household members or antigen-bearers.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Yes, but only in general terms, without identifying the individual.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

It depends on the type of business and of the stage of “normalisation” that the place where the business is based has reached (there are five stages, numbered from zero to four). For some activities and stages, reporting of symptoms by the employer is mandatory, while in other cases this could be a serious infringement of privacy laws.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Yes, provided the employer complies with Articles 44 to 49 of GDPR and 40 to 43 of Spanish Fundamental Law 3/2018 on Data Protection.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Yes, provided the policies for doing so have been drafted with the intervention of the work’s council or employees’ representatives and have been demonstrably reported in advance to them and to the employees. The constitutional rights of the employees have to be carefully guaranteed.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Yes, in particular Spanish Fundamental Law 3/2018 on Data Protection and the Reports and Guidance issued by the Spanish Data Protection Commissioner.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

Fines of up to EUR 20 million or 4% of the business’s global annual turnover in the preceding year, whichever is higher. On top of the fines, data subjects can seek compensation for the damage suffered. There may be also an impact on the public reputation of the data controller.