HomeIco

Home

 InternalIco

Internal

 GlobalIco

Global

 ContattoIco

Contatto
it

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.
Media Pubblicazioni Newsletter Data Protection Bites Data Protection Bites 4/2020 Data Protection in Spain during Covid-19

Data Protection in Spain during Covid-19

PrintMailRate-it
Published on 19 May 2020 | Reading time approx. 3 minutes

Here are some news in a nutshell about Data Protecion in Spain during Covid-19.


madrid.png

In Spain, the development of a national self-assessment trial application called Asistencia Covid 19 has been enabled which allows geolocation of the user for the sole purpose of verifying that he or she is in the region in which he or she declares to be. The application can only geolocate the user who voluntarily downloads it and it is available in six Spanish regions. However, it seems that Spain has opted for the model proposed from Europe that is less intrusive on the privacy of individuals, that is, the installation of an application on mobile devices that, through Bluetooth –not geolocation-, emits and observes anonymous identifiers that change periodically. When two mobiles have been in proximity for a certain period of time, both save the anonymous identifier issued by the other and, if a user tests positive in the COVID-19 test, it is possible to alert the mobiles that have been in contact, always preserving the privacy of the individuals. The adoption of these tools will depend on the decision of the health authorities based on the results of the pilot projects that may be launched in the coming weeks.

Furthermore, an analysis of the mobility of individuals was launched, through the crossing of data from mobile operators. The Spanish Data Protection Authority (“SDPA”) has issued a report on the subject and states that it does not pose a greater threat to privacy than it did before the pandemic, i.e. there is always the possibility of incomplete anonymization, lax outsourcing or a cyber-attack that would place the location of users' mobiles in the hands of a third party.

The SDPA in the aforementioned report outlines -together with the measures described- other technologies that are being used to fight covid-19 or whose use is being assessed: geolocation in social networks; websites and chatbots for self-testing or appointment; voluntary infection information apps (citizen initiatives); immunity passports and infrared cameras.

Many companies are already preparing the reopening of shops and workplaces, in accordance with the phased de-escalation plan approved by the Government. Now they are questioning whether they can adopt measures to prevent the spread of the virus, such as measuring the temperature of their employees or carrying out covid-19 or serological tests. These measures undoubtedly involve the processing of personal data.

Regarding the temperature measurement, the SDPA questions its effectiveness as to preventing infection and states that this measure should only be applied in accordance with the criteria defined by the health authorities, -both in terms of its usefulness and proportionality- which will regulate the limits and specific guarantees for the processing of the personal data of those concerned. In the labour field, as that of occupational risk prevention regulations, the taking of the temperature could be useful within the framework of a more extensive processing of which other verifications and additional guarantees are part, which, in any case, respect the rights and freedoms established in the RGPD. Taking into account the above, the legitimate basis that could justify such processing would be the obligation of employers to ensure the safety and health of workers in their service in work-related aspects, established in article 22 of the Occupational Risk Prevention Act. Neither consent nor legitimate interest can constitute the legal basis of the processing.

The SDPA has not yet made an express statement regarding the performance of Covid-19 or serological tests. Given the case, probably the legal basis referred to would apply to this processing.

There is therefore no answer applicable to all companies, each of which will have to assess the legitimacy of the measure in the light of its proportionality. The implementation of this measure must always be accompanied by compliance with applicable privacy regulations. In particular, the obligation to inform the worker (Article 13 GDPR) must be observed in all cases and, where appropriate, a prior report must be issued to the workers' representatives. Depending on the circumstances, a data protection impact assessment may be required.

The SDPA recommends the full compliance of the Healthcare Authorities recommendations as aforementioned. The temperature measurement could not be effective, because there are asymptomatic persons who do not have fever or could be the case that some persons have fever for other reasons, all of this could lead to cases of unjustified discrimination. That is why it is needed a common temperature level agreement at which a person is considered potentially sick of COVID-19. The SDPA recommends introducing proportionate measures, useful and non-intrusive, always in accordance with the criteria of the Health Authorities. Particularly, the SDPA stated that the health data cannot be spontaneously processed by any manager of a public place simply because he thinks it is the best for his customers or users. In these cases, it can be produced a risk of discrimination, stigmatisation and perhaps public dissemination of health data. All of this can be aggravated by the risk of leaks of sensitive information and conflict with those people who understand the measure as an attack on their rights. For now, the agreed official measures are, mainly, the safety distance of two meters and the limitation of capacity to the 30 per cent of the facilities.

Pan-European COVID-19 mobile application approach

Spain's approach to digital tools for infection prevention is in line with that of the European Commission and the European Data Protection Board, which advocate the implementation of a voluntary use model, compatible with the GDPR, focused on the protection of individuals' privacy and interoperable across borders. Spain highlighted the importance of finding a coordinated approach at European level for these applications that guarantees interoperability and allows for a joint approach to health emergencies. Therefore a national working group on mobile applications has been set up, mainly focused on interoperability protocols.

Teleworking: country specific guides to regulate teleworking

The SDPA stated that the measures and guarantees established in the defined policies have to be adopted on the basis of a risk analysis that evaluates the proportionality between the benefits to be obtained from remote access and the potential impact of compromising access to personal information. The resources that can be accessed should be limited based on the risk assessment representing a loss of the client device and the exposure or unauthorized access to the information handled. Companies should avoid using teleworking applications and solutions that do not offer guarantees and that may result in the exposure of personal data.

The SDPA has determined the content of the policies related to telework. They must determine, among others, which forms of remoted access and what type of devices are allowed, also the responsibilities and obligations assumed by employees. It is necessary to provide guides adapted to the training of employees and they must be informed of the main threats by which they may be affected and the possible consequences of those threats. If the employees do not comply with the guidelines they must know the consequences, both for data subjects and for themselves. These guidelines should identify a contact person for reporting incidents involving personal data and address the internal procedures for provisioning and auditing of remote access client devices, the procedures for managing and monitoring the infrastructure, the services provided by managers and how the policy is reviewed and updated to reflect the risks involved.

Some organizations have published recommendations on how to make home office securely.
  • SDPA has published a technical note with some recommendations to protect personal data in mobility and teleworking situations. This note is divided into advices directed to the Data Controller, and on the other hand advices directed to the personnel that is involved in data processing operations.
  • The National Institute of Cibersecurity has published (INCIBE) some technical aspects which should be taken into account in order to protect the infrastructure.
  • The National Cryptological Center (CN-CERT) has published a complete guide that includes all the different publications that this entity has made during the COVID-19 situation.


To date, the SDPA has not issued specific guidelines governing the suitability of technologies for monitoring employees working remotely. However, any company that uses available or forthcoming technology to monitor its employees and control their working hours or performance must verify that there is a legitimate basis for the processing and comply with all other data protection obligations.

Data protection obligations

The SDPA agreed to apply the fundamental right to data protection in full and not to suspend it during the state of emergency.

The SDPA establishes that the suspension of administrative deadlines provided for in Royal Decree 463/2020, which declares the state of alarm, does not affect the obligation to notify security breaches that affect personal data, so that those responsible are obliged to notify them to the within 72 hours. The presentation of this notification will be made telematically through the electronic means made available by the SDPA, with the option of making an initial notification within the said period if all the necessary information on the breach is not available. Subsequently, when all the necessary information is available, the information may be extended by means of an additional notification.

This emergency situation has not meant the suspension of the time limits for responding to the exercise of the rights that the GDPR attribute to individuals, regardless of the private or public nature of the data controller before whom they are exercised. 

However, the SDPA referred to the Article 12.3 of the GDPR which allows the response period of one month to be extended for a further two months, provided that the reason for the extension is given, for example, by describing how the activity of the controller is affected by the COVID-19 crisis. In such cases, if it is not feasible to notify the person concerned of the extension within one month due to the conditions arising from the crisis, this could be done through an automatic response to the receipt of a request to exercise rights.

Websites protection: attention to those companies who have seen the urgent need to launch into e-commerce

The e-commerce uses the Internet to allow customers to buy without leaving home. Due to the actual COVID-19 situation, many companies have rushed to set up websites in order to continue providing their services online.

Some good practices that need to be taken into account when creating an e-commerce are:
HTTPS protocol that increases the security when the web page is used also for online payments.

Besides, other protocols such as SSL (Secure Socket Layer) certificate and SET (Secure Electronic Transaction) protocol are also advisable.

In order to make secure payments the protocols needed are CVV (Card Verification Value) and AVS (Address Verification System).
It is very important to have secure passwords for both the administrator and the users and even if the information is encrypted, best way to avoid exposing customer’s sensitive information is not saving it. So no credit card information should be stored in the database.


As the state of emergency does not suspend the right to data protection, the legal texts required on a website must comply with the applicable regulation.

Country specifics  

Spain: Facial recognition and video surveillance in University exams

The board of Governors of the Spanish Universities submitted a consultation to the SDPA about the legality of conducting exams through facial recognition systems. The SDPA replied stating that the processing of biometric data related to a constant (during the exam) identification of the data subject is considered a special category of personal data. This means that there are two possible legal basis to process sensitive data: consent or the "substantial" public interest (due to art. 9.2 g GDPR). The SDPA discards consent if it is the unique way to take the exam, as it is no freely given because of the intimidation that a data subject could suffer against a public authority. Nevertheless, if some alternative options are given to the data subject and they have no consequences and are equal (similar cost or difficulty), it is a possible way to address the exams. The other possibility is the declaration of the measure as "substantial" to the public interest. However, the SDPA discarded this option, as there is no law that enables this possibility.


The SDPA also received a consultation of the board relative to the use of CCTV to control students during the exams. This option was discarded as it is considered disproportionate and breaches the minimization principle since there are higher privacy interests than mere student control.

CONTACTS

Contact Person Picture

Jorge Cabet

Abogado, Data Protection Department Spain

Senior Associate

+34 91 5359 977

Invia richiesta

Contact Person Picture

Ane Aretxabaleta Vázquez

Head of IT Auditor

+91 535 99 77

Invia richiesta

RÖDL & PARTNER SPAIN
Discover more about our offices in Spain. Read more »

DATA PROTECTION BITES

Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, 
with a special focus on the GDPR. 
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu