Skip to main content
Information for the interested party on data protection

5.81. Health surveillance data management

Description of the activity

Prevention of occupational hazards. Health examinations, epidemiological research and health promotion activities, comprehensive and integrated management with safety, hygiene and ergonomics.

Purpose

Health protection at work.

Legitimation

Article 6 of Regulation 2016/679 (EU), relating to the legality of processing, in section 1, letter b) states that “The processing will be legal if at least one of the following conditions is met: (…) b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of the interested party of pre-contractual measures (…)”.

Under this provision, data processing is lawful and does not require consent when the data processing is carried out for the fulfillment of contractual relations of an employment nature.

This provision would also cover the processing of data of public employees, even if their relationship is not contractual in the strict sense.

Sometimes, in order to comply with its obligations in relation to public employees, the Administration must process certain data referred to in the EU Regulation, in its article 9, as “special categories of data".

Article 9.1 of the Regulation states that “The processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or data relating to a natural person's sex life or sexual orientation shall be prohibited.”

However, in section 2, a series of exceptions are established in which such data may be processed. Specifically, letter b) of this section 2 indicates the following: “Paragraph 1 shall not apply where one of the following circumstances applies: (…) b) the processing is necessary for the fulfilment of obligations and the exercise of specific rights of the controller or the data subject in the field of labour law and social security and protection (…)”.

Interested parties

  • Employees (civil servants and workers who provide services to the AEAT)

Details

  • NIF/DNI, Name and Surname
  • Health (collected, processed and transferred with the express consent of the patient)
  • Date of birth, age, sex, physical or anthropometric characteristics, personal and family illnesses and other medical data.
  • Employment details (job title, employee history)

Treatments

  • Collection
  • Record
  • Storage
  • Structuring
  • Modification
  • Update
  • Copy
  • Analysis
  • Enquiry
  • Extraction
  • Promotion
  • Interconnection
  • Limitation
  • Suppression
  • Destruction
  • Other

Recipients

It is anticipated that data will be transferred or communicated to medical personnel and health authorities that monitor the health of workers, in accordance with the provisions of Article 22.4 of Law 31/1995, of November 8, on the Prevention of Occupational Hazards.

International transfers

Not foreseen

Expected deadlines for deletion

The data collected will not be deleted and will remain in the databases of the State Tax Administration Agency (AEAT) in order to cover possible legal requirements or other types of claims that may arise.

Profiling

Does not apply

Technical/organizational measures

All data processed has been evaluated through a risk analysis, obtaining the list of technical and organizational measures to be applied.

These measures have been applied in accordance with the approved adaptation plan.