Skip to main content
Information to the interested party on data protection

5.81. Health surveillance data management

Description of the activity

Prevention of occupational hazards. Health examinations, epidemiological research and health promotion activities, comprehensive and integrated management with safety, hygiene and ergonomics.


Health protection at work.


Article 6 of Regulation 2016/679 (EU), relating to the legality of processing, in section 1, letter b) states that “The processing will be legal if at least one of the following conditions is met: (…) b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of the interested party of pre-contractual measures (…)”.

By virtue of this precept, the processing of data is lawful, and will not require consent, when the processing of data is carried out for the fulfillment of contractual relations of an employment nature.

This provision would also cover the processing of data of public employees, although their relationship is not contractual in the strict sense.

Sometimes, in order to comply with its obligations in relation to public employees, the Administration must process certain data referred to in the EU Regulation, in its article 9, as “special categories of data".

Thus, article 9.1 of the aforementioned Regulation states that “The processing of data that reveals ethnic or racial origin, political opinions, religious or philosophical convictions, or union membership, and the processing of data are prohibited. genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or data relating to the sexual life or sexual orientations of a natural person.

However, in section 2, a series of exceptions are established in which such data may be processed. Specifically, letter b) of this section 2 indicates the following: “Section 1 will not apply when one of the following circumstances occurs: (…) b) the processing is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or the interested party in the field of labor law and social security and protection (…)”.


  • Employees (official and labor personnel who serve in the AEAT)


  • NIF/DNI, Name and Surname
  • Health (collected, treated and transferred with express consent of the patient)
  • Date of birth, age, sex, physical or anthropometric characteristics, personal and family illnesses and other medical data.
  • Employment details (job title, worker history)


  • Collection
  • Record
  • Storage
  • Structuring
  • Modification
  • Update
  • Copy
  • Analysis
  • Enquiry
  • Extraction
  • Promotion
  • Interconnection
  • Limitation
  • Suppression
  • Destruction
  • Other


Transfers or communications of data to medical personnel and health authorities that carry out surveillance of the health of workers are foreseen, in accordance with the provisions of art. 22.4 of Law 31/1995, of November 8, on the prevention of Occupational Risks.

International transfers

are not foreseen

Planned deadlines for deletion

The data collected will not be deleted and will remain in the databases of the State Tax Administration Agency (AEAT) in order to cover possible legal requirements or other types of claims that may arise.


Does not apply

Technical/organizational measures

All data processed has been evaluated through a risk analysis, having obtained a list of technical and organizational measures to apply.

These measures have been applied in accordance with the approved adaptation plan.