The processing of personal data concerning health
In the context of coranaviruses pandemic, as well as of the declaration of states of emergency, with reference to the processing of data concerning health which represents a special category of data, we recommend the controllers to take into consideration the following:
Article 9 of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR) establishes that the data concerning health may be processed by a data controller in certain conditions such as:
- letter b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; (...) or
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to certain conditions and safeguards (data to be processed by or under the responsibility of a professional subject to the obligation of processional secrecy, under Union or Member State law or rules established by national competent bodies or by other person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies); or
- letter i) processing is necessary for reasons of public interest in the area of public health, such as protecting serious cross-border threats to health or ensuring high standards or quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; or
- letter a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition of processing these data may not be lifted by the data subject consent;
We specify that personal data other than those of special categories of personal data may be processed in compliance with Article 6 of Regulation (EU) 2016/679.
Also, regarding the obligation to inform the data subject, we emphasize that the controllers shall take appropriate measures in order to provide the data subject with the information referred to in Articles 13 and 14, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This information can be made on the website of the controller.
With regard to the security measures adopted by the controllers, we mention that Article 32 of Regulation (EU) 2016/679, which regulates the “Security of processing”, establishes the obligation of controllers and processors to implement appropriate technical and organisational measures in order to ensure an adequate level of security.
At the same time, Article 24 paragraph (1) of Regulation (EU) 2016/679 provides that controllers shall implement appropriate technical and organisational measures in order to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.
Concerning the disclosure in the public space of the name and health condition of a natural person, we highlight that the processing (disclosure) of these data can be done with the consent of the concerned person.
On the other hand, with reference to the restrictions that can be applied, Article 23 paragraph (1) letter e) of Regulation (EU) 2016/679 provides that “Union or Member State law to which the data controller or processor is subject may restrict by way of legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member state, including monetary, budgetary and taxation a matters, public health and social security;”
With regard to the activity of prevention, detection, investigation, or prosecution of criminal offences or the execution of criminal penalties, educative and safety measures, the provisions of Law no. 363/2018 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purpose of prevention, detection, investigation, or prosecution of criminal offences or the execution of criminal penalties, educative and safety measures and on the free movement of such data become applicable.
In the context of the above, we mention that a statement dated the 16th of March 2020 of the EDPB’s Chair, in the context of the Coronaviruses pandemic, is available at the following link: https://edpb.europa.eu/news/news_en.
Legal and Communication Department