Personal data of employees before COVID-19. What can and can’t companies do with their employees’ data?

Last March, the Spanish Data Protection Agency (AEPD) published a report and a question-and answer document with the aim of clarifying, among other questions, what kinds of processing companies could carry out in relation to their workers’ data in order to combat COVID-19 in their organizations.

The AEPD is robust and states emphatically that employers can process information concerning the health of their workers without having to obtain their consent, but it also sets out what circumstances must occur and which requirements must be met in order to combat COVID-19 in the workplace to ensure respect for the regulations on personal data protection.

This is explained below:


  1. Compliance with the Occupational Risk Prevention Act (Ley de Prevención de Riesgos Laborales, LRPL) as a circumstance that allows employers to avoid the prohibition of processing special categories of data.

Article 14 of the Occupational Risk Prevention Act states that the employer has the duty to protect workers from occupational hazards that may arise during the performance of their work, thus ensuring their health and safety.

In compliance with this duty, the employer may (and might even have the obligation to) process the health data of its employees to protect them from COVID-19. This obligation is provided for in the LPRL and is the circumstance that allows the processing of this data (article 9.2.b of the GDPR, compliance with obligations in the field of Labour Law and Social Security and Social Protection), in relation to article 6.1.c of the GDPR (compliance with a legal obligation applicable to the controller).

The Data Protection Board in its “Declaration on the processing of personal data in the context of the COVID-19 outbreak”.


  1. Processing of permitted data in the context of COVID-19.

The health data processing that the company can perform on its workers can be specified as follows:

    1. Collection of employee data

The employer must know whether or not any worker is infected, in order to design the contingency plan deemed most appropriate for COVID-19 with the help of the risk prevention team, and thus prevent the spread of the virus in the workplace.

For this reason, the employer may ask its staff questions, but limited exclusively to the existence of symptoms, or whether the worker has tested positive for coronavirus, or whether he or she has an obligation to comply with quarantine.

It contravenes the principle of data minimization to circulate extensive and detailed health questionnaires, or to include questions that are not strictly related to the pandemic.

    1. Transfer of data from workers to the authorities

At the request of the authorities, the company may provide them with information collected from the workers. The transfer of these data must respect the principles limiting the purpose of data processing and its minimization, and must always be in accordance with the recommendations or instructions issued by the authorities.

For instance, if the company has become aware of an infection and can protect the health of the workers without specifying the identity of the person infected (in pseudo-anonymised form), this should be the way in which it is done. If, on the contrary, such partial or pseudo-anonymised information fails to protect the health of the workers, or if the competent authorities (in particular, the health authorities) advise providing all the information, the company may provide data that identify the infected workers.

    1. Obligations of workers in the context of COVID-19

Similarly, and under the terms of article 29 of the LPRL, the worker must ensure his/her own health and safety in the workplace, as well as that of his/her colleagues.

For this reason, the worker must immediately inform his/her hierarchical superior and the person in charge of risk prevention about any situation that, in his/her judgement, might reasonably involve a risk to the health and safety of the workers.

This obligation is specific insofar as the worker must inform the company (and it may know) if a person has been infected, or has the suspicion that he/she has been infected by the virus, with the purpose of safeguarding his/her own health and avoid infecting other workers. In this way, the employer will be able to apply the appropriate measures to guarantee safe working conditions that do not pose risks to the health and safety of the workers, in compliance with the LPRL.

The company must process the personal information provided by the affected worker in accordance with the GDPR, applying the appropriate technical and organizational measures in order to guarantee an adequate level of security (article 32 GDPR).

Finally, the AEPD insists that data protection regulations cannot be used to hinder compliance with decisions or to limit the measures adopted by the competent authorities (especially the health authorities) in order to curb the coronavirus pandemic.

In any case, the processing of health data must comply with the principles established in the data protection regulations, especially those relating to the minimization of data, the limitation of purpose, and limitation of the period that data are retained.